[Bkis-04-2010] Multiple Vulnerabilities in OpenBlog 1. General Information OpenBlog is a free software for developing blogging platform. OpenBlog is written on PHP language and available at http://www.open-blog.info. In August 2010, Bkis Security discovered some XSS, CSRF vulnerabilities on this software; especially, there is a vulnerability which might allow privilege elevation on OpenBlog 1.2.1. Taking advantage of this vulnerability, hacker might execute malicious code on user's browser or even get control of Blog. Bkis has sent its warning to the developer. Details: http://security.bkis.com/?p=1382 SVRT Advisory: Bkis-04-2010 Initial vendor notification: 08/09/2010 Release Date: 08/23/2010 Update Date: 08/23/2010 Discovered by: Duong Manh Linh, Truong Tu Hai, Nguyen Hoang Vinh - Bkis Attack Type: Bypass Authentication, XSS, CSRF Security Rating: High Impact: Code Execution Affected Software: Openblog< v1.2.1 2. Technical Details The most dangerous vulnerability resides on session module of OpenBlog. Exploiting this vulnerability, hacker can sign in a normal user' account but obtain administrator' privileges. This is due to the weakness in user's rights checking and authenticating mechanism, resulting in the high possibility of faking administrators' privileges. Besides, Bkis also found some XSS and CSRF vulnerabilities on the following OpenBlog's functions: XSS holes are found on the following modules: - Create a new post - Edit a post - Create a new page Because these modules' input variables are not adequately checked and filtered, hacker might insert his code into the path's links. If a user logins to his Blog and clicks the link, hacker's malicious code (JavaScript) will be executed, leading to the loss of user's personal information saved on the browser. CSRF vulnerabilities are found on the following modules: - Edit an user - Setting - Templates - Disable/Enable Sidebar - Feed settings - Bookmarking - New post - Edit a post - Delete a post - New page - Edit a page - Delete a page - New navigation item - Edit a navigation item - New link - Edit a link - Delete a link - New category - Edit a category - Delete a category - Delete a comment - Delete an user OpenBlog does not require user's confirmation when performing the above functions. Therefore, users might be tricked into performing unwanted actions without their consent, like clicking faulty links, etc. Specifically, hacker might fool Blog's administrators into deleting, editing the posts on the Blog. 3. Solution Rating the vulnerability as critical, Bkis recommends organizations, individuals using OpenBlog be cautious with links of unknown origins. At the same time, users should keep themselves updated with the developer's information to get timely update. ---------------------------------------------------------------------------- -- Bkis (www.bkis.com) Blog (blog.bkis.com)