TUCoPS :: Web :: Blogs :: tb12700.htm

Simple PHP Blog Multiple Vulnerabilities
Simple PHP Blog Multiple Vulnerabilities
Simple PHP Blog Multiple Vulnerabilities



Secure Network - Security Research Advisory

Vuln name: Simple PHP Blog Multiple Vulnerabilities
Systems affected: simplePHPBlog 0.5.0.1, simplePHPBlog 0.4.8 and all previous versions
Systems not affected: -
Severity: Medium
Local/Remote: Remote
Vendor URL: http://www.simplephpblog.com/ 
Author(s): Luca "ikki" Carettoni - luca.carettoni@securenetwork.it, Luca "Daath" De Fulgentis - daath@webapptest.org 
Vendor disclosure: 14th September 2007
Vendor acknowledged: 14th September 2007
Vendor patch release: 23rd September 2007
Public disclosure: 25th September 2007
Advisory number: SN-2007-03
Advisory URL: http://www.securenetwork.it/advisories/ 

*** SUMMARY ***

Simple PHP Blog is a blogging application that was written with simplicity of installation and maintenance in mind.
Unlike other blog software, there is almost no setup because it uses flat text files.

Multiple vulnerabilities have been reported in the latest version of this web application; probably all previous versions are affected to the same issues.
The specific issues include multiple cross-site scripting flaws and an arbitrary file upload vulnerability.
Various consequences are associated with these issues, such as theft of cookie-based authentication credentials and arbitrary remote code execution.

In order to exploit the arbitrary file upload vulnerability, a regular user should be authenticated. It should be noted that the latest versions of the application haven't multiple users support. Anyway, exploiting the XSS flaw is possible to steal the authentication token and then exploit the other vulnerability in order to execute arbitrary code (such a PHP shell).

*** VULNERABILITY DETAILS ***

(a) Cross Site Scripting (XSS)
Mutiple reflected XSS have been found in the "\themes\\user_style.php" file. 

Looking inside the application source code:
###### CUT HERE ######
 before the malicious JavaScript code.

The same problem arises in different point of the same script, for each different theme template:

background-color: #;
color: #;
color: #;
background-color: #;
border-color: #;
border-color: #;
color: #;
background-color: #;
color: #;
background: #;
border-top: 1px solid #;
color: #;
color: #;
color: #;
color: #;
color: #;
background-color: #;
border-color: #;
border-color: #;
color: #;
color: #;
color: #;
border-color: #;

(b) Arbitrary File Upload Vulnerability
Simple PHP Blog is prone to an arbitrary file upload flaw because the application fails to check the upload denied files.
In the file "upload_img_cgi.php" there's the following file content/extension check:

###### CUT HERE ######
if ( @getimagesize($_FILES['userfile']['tmp_name']) == FALSE ){
				echo('Image is not valid or not an image file.');
				exit;
				// redirect_to_url( 'upload_img.php' );
}
###### CUT HERE ######
			$upload_denied_extentions = array( "exe", "pl", "php", "php3", "php4", "php5", "phps", "asp","cgi", "html", "htm", "dll", "bat", "cmd" );
			$extension = strtolower(substr(strrchr($uploadfile, "."), 1));
			foreach ($upload_denied_extentions AS $denied_extention) {
				if($denied_extention == $extension) {
					echo('That filetype is not allowed');
					exit;
}}
###### CUT HERE ######

Using a fake GIF image is possible to bypass the image content control and the file extension check. 
Creating a file called "exploit.php." with the following content:

GIF89aD


An attacker could upload the script on the "/images" directory inside the application dir on the webserver. 
Thanks to "by-design" behaviors of Apache httpd mod_mime parsing files with multiple extensions, it's possible to execute the uploaded script. 
In Microsoft Windows server environment it's possible too, due to the filename with multiple dot handling.

Exploiting this issue could allow an attacker to upload and execute arbitrary script code in the context of the affected webserver process. 

*** EXPLOIT ***

Attackers may exploit this issue through a browser.

*** FIX INFORMATION ***

http://www.simplephpblog.com/index.php?entry=entry070923-004446 

*********************
*** LEGAL NOTICES ***
*********************

Secure Network (www.securenetwork.it) is an information security company, 
which provides consulting and training services, and engages in security
research and development.

We are committed to open, full disclosure of vulnerabilities, cooperating
with software developers for properly handling disclosure issues.

This advisory is copyright =A9 2007 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.

E-mail: securenetwork@securenetwork.it 
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc 
Phone: +39 0363 560 402

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH