PHP-Blogger Multiple Cross Site Scripting Vulnerabilities


OS2A ID: OS2A_1006			Status:
					14/06/2006	Issue Discovered
					23/06/2006	Reported to the vendor
							(No response on repeated notification)
					07/07/2006	Advisory Released 


Class: Cross Site Scripting		Severity: Medium


Overview:
---------
PHP-Blogger is a free php script for creating a personal weblog (blog) or photoblog.
http://www.phpblogger.com

Description:
------------
Multiple Cross-site scripting vulnerabilities exist due to input validation
errors in parameters like name, title, news, description, sitename etc., in 
admin/actions.php. 

Successful exploitation requires authentication.  

Impact:
-------
A remote attacker could inject malicious script code in the victim's browser
within the security context of the hosting site and also could steal the victim's
cookie-based authentication credentials.

Affected Software(s):
---------------------
PHP-Blogger 2.2.5 (prior versions may also be vulnerable)

Proof of Concept:
-----------------
Sample exploits

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=new_news
Vulnerable fields: Title, News

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=new_slideshow
Vulnerable fields: Description

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php/admin.php?action=preferences
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=install
Vulnerable fields: Site name

Insert "<script>alert('XSS Vulnerable');</script>" in above fields to try the the exploit.

Analysis:
---------
Vulnerable code in admin/actions.php (example snippet)

  $id = getValue("id");
  $title = getValue("title");
  $description = getValue("description");
  $Post = $Blogger->getPost($id);
  $folder = $Post->getDir();
  $Post->setTitle($title);
  $Post->setDescription($description);
  $file = getPostFiles("pic0");

Input passed to many of the parameters in this script are not properly sanitized
before being used. 

CVSS Score Report:
------------------
    ACCESS_VECTOR          = REMOTE
    ACCESS_COMPLEXITY      = LOW
    AUTHENTICATION         = REQUIRED
    CONFIDENTIALITY_IMPACT = PARTIAL
    INTEGRITY_IMPACT       = PARTIAL
    AVAILABILITY_IMPACT    = NONE
    IMPACT_BIAS            = CONFIDENTIALITY
    EXPLOITABILITY         = POC
    REMEDIATION_LEVEL      = UNAVAILABLE
    REPORT_CONFIDENCE      = CONFIRMED
    CVSS Base Score        = 3.1 (AV:R/AC:L/Au:R/C:P/I:P/A:N/B:C)
    CVSS Temporal Score    = 2.8
    Risk factor            = Medium

Solution:
---------
Edit the source code to sanitize the user input values.

Credits:
--------
Pavithra Hanchagaiah of OS2A has been credited with the discovery of this 
vulnerability.