Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PsychoBlogger Input Validation Flaws Permit Cross-Site Scripting and SQL Injection Attacks
|
|
SecurityTracker Alert ID: 1008556
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 27 2003
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): PB-beta1
|
Description: Several vulnerabilities were reported in the PsychoBlogger content management system. A remote user can inject SQL commands and can conduct cross-site scripting attacks.
Calum Power reported several input validation vulnerabilities in various components of the software.
It is reported that the 'shouts.php'
script does not properly validate the 'shoutlimit' parameter and the 'comments.php' script does not properly validate the 'blogid'
variable. A remote user can set the variables to a specially crafted value to execute SQL commands on the underlying database.
A
demonstration exploit 'blogid' value is provided:
1 and 'a'='z' union select ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid
from blog_authors ba, blog_entries be where 'a'='a'
This demonstration exploit reportedly will display the user rights of the
first user in the database. A remote user can exploit this flaw for other purposes, including obtaining the hashed passwords.
It
is also reported that the 'functions.php' script does not properly validate some input and may allow SQL injection.
It is also
reported that the 'imageview.php' script does not filter HTML code from user-supplied information in the 'desc' variable before
displaying the information. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary
scripting code to be executed by the target user's browser. The code will originate from the site running the PsychoBlogger software
and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including
authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
http://[target]/imageview.php?desc=</title><script>alert(docum
ent.cookie)</script>
Input validation flaws that permit cross-site scripting attacks were also reported in the 'entryadmin.php',
'authoredit.php', 'blockedit.php', 'configadmin.php', and 'quoteedit.php' scripts.
|
Impact: A remote user can execute arbitrary SQL commands to, among other things, retrieve encrypted passwords from the database.
A remote
user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Psychoblogger
software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the
target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.psychoblogger.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Andrew Smith <parenthesis@elitehaven.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 23 Dec 2003 15:51:57 -0800 (PST)
From: Andrew Smith <parenthesis@elitehaven.net>
Subject: Multiple Vulns in Psychoblogger beta1
|
------------=_1072223517-15021-0
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Hello Bugtraq,
As a part of a recent code audit of the Psychoblogger beta1 code, multiple vulnerabilities were found
in the standard distributed
code base.
These vulnerabilities range from XSS exploits to SQL Injection exploits.
All details in attached advisory or at http://www.fribble.net/advisories/psychoblogger_19-12-03.txt
Kind Regards,
Calum Power
PS - Happy Christmas to everyone =)
_____________________________________________________________
Get 'yourname@elitehaven.net' free with 6mb of free email storage space! Visit http://www.elitehaven.
net
------------=_1072223517-15021-0
Content-Type: text/plain; name="psychoblogger_19-12-03.txt"
Content-Disposition: inline; filename="psychoblogger_19-12-03.txt"
Content-Transfer-Encoding: base64
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpUaXRs
ZTogTXVsdGlwbGUgdnVsbmVyYWJpbGl0aWVzIGluIFBzeWNob2Jsb2dnZXIg
Q01TIHBhY2thZ2UNCg0KUGFja2FnZSBkZXNjcmlwdGlvbiAoRnJvbSB2ZW5k
b3Igd2Vic2l0ZSk6DQoiVGhpcyBpcyBhIFBIUC9NeVNRTCBibG9nZ2luZyB0
b29sIHdpdGggbWFueSBmZWF0dXJlcy4iDQoNClZlbmRvciB3ZWJzaXRlOg0K
aHR0cDovL3d3dy5wc3ljaG9ibG9nZ2VyLmNvbQ0KDQpBZmZlY3RlZCB2ZXJz
aW9uczoNClRvIHRoZSBiZXN0IG9mIG15IGtub3dsZWdlLCB0aGVyZSBpcyBv
bmx5IG9uZSBwdWJsaWMgcmVsZWFzZSBhdmFpbGFibGU7IFBCLWJldGExDQpU
aGVyZSBtYXkgb3IgbWF5IG5vdCBoYXZlIGJlZW4gc29tZSBwcml2YXRlIGRl
dmVsb3BlbWVudCBkb25lICh1bmNvbmZpcm1lZCkuDQoNClN1bW1hcnk6DQpQ
c3ljaG9ibG9nZ2VyIGlzIGEgQ01TIHBhY2thZ2UgYWltZWQgYXQgcHJvdmlk
aW5nIHdlYmxvZ3MgKG9yICdibG9ncycpIHdpdGggYW4gZWFzeSB0byBzZXQg
dXANCnN5c3RlbSBmb3IgZWRpdGluZyBhbmQgYXV0aG9yaW5nIHRoZSBjb250
ZW50Lg0KVGhlIHN0YW5kYXJkIHBhY2thZ2UgaGFzIG1hbnkgaW5oZXJpdCB2
dWxuZXJhYmlsaXRpZXMgdGhhdCBtYXkgYWxsb3cgdGhlIGNvbXByb21pc2Ug
b2YgYSB3ZWIgc2VydmVyDQpvciB3ZWJzaXRlIHVzaW5nIHRoZSBkaXN0cmli
dXRlZCBjb2RlLiANCg0KVmVuZG9yIENvbnRhY3Q6DQpBdXRob3IgY29udGFj
dGVkLCBhZHZpc29yeSBhY2tub3dsZWRnZWQsIGZpeGVzIHRvIGJlIHJlbGVh
c2VkIHNvb24uDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLQ0KVnVsbmVyYWJpbGl0aWVzDQoNCg0KVlVMTiAjMToNCiAgICBU
aGVyZSBpcyBhIENyb3NzLVNpdGUtU2NyaXRpbmcgdnVsbmVyYWJpbGl0eSBp
biB0aGUgc2NyaXB0ICdpbWFnZXZpZXcucGhwJywgDQogICAgd2hpY2ggYWxs
b3dzIGZvciBpbnNlcnRpb24gb2Ygc2NyaXB0aW5nIG9uIHRoZSBjbGllbnQt
c2lkZS4gVGhpcyBjYW4gYmUgZXhwbG9pdGVkIGJ5IHNldHRpbmcNCiAgICB0
aGUgJ2Rlc2MnIGdldCB2YXJpYWJsZS4gVGhpcyB2YXJpYWJsZSBpcyBwcmlu
dGVkIHdpdGhvdXQgYW55IGNoZWNraW5nLCBpbiBiZXR3ZWVuIHRoZSA8dGl0
bGU+IHRhZ3MuDQogICAgQmVjYXVzZSBzY3JpcHRpbmcgY2Fubm90IGJlIGlu
c2VydGVkIGRpcmVjdGx5IGludG8gdGhlIHRpdGxlLCBvbmUgbXVzdCBmaXJz
dCBicmVhayBvdXQgb2YgdGhlIDx0aXRsZT4gdGFnLg0KICAgIFRoaXMgY2Fu
IGJlIGV4cGxvaXRlZCBsaWtlIHNvOg0KICAgIGh0dHA6Ly9zZXJ2ZXIuY29t
L2ltYWdldmlldy5waHA/ZGVzYz08L3RpdGxlPjxzY3JpcHQ+YWxlcnQoZG9j
dW1lbnQuY29va2llKTwvc2NyaXB0Pg0KICAgIA0KICAgIElNUEFDVDogTG93
L01lZGl1bSAtIFRoaXMgdnVsbmVyYWJpbGl0eSBtYXkgYmUgYWJsZSB0byBi
ZSBleHBsb2l0ZWQgdG8gaGlqYWNrIHRoZSBzZXNzaW9uIG9mIGEgY3VycmVu
dGx5IGxvZ2dlZC1pbg0KICAgIGVkaXRvciwgYW5kIHRodXMgZ2FpbmluZyBh
ZG1pbmlzdHJhdGl2ZSBwcml2aWxlZ2VzIG92ZXIgdGhlIHdlYmxvZy4gSG93
ZXZlciwgKGFzIHVzdWFsKSBYU1MgdnVsbnMgYXJlIHF1aXRlIGhhcmQgdG8N
CiAgICBleHBsb2l0IHN1Y2Nlc3NmdWxseS4NCg0KVlVMTiAjMg0KICAgIEEg
Q3Jvc3Mtc2l0ZS1zY3JpcHRpbmcgdnVsbmVyYWJpbGl0eSBleGlzdHMgaW4g
dGhlIHNjcmlwdCAnZW50cnlhZG1pbi5waHAnLCAnYXV0aG9yZWRpdC5waHAn
LCAnYmxvY2tlZGl0LnBocCcNCiAgICAnY29uZmlnYWRtaW4ucGhwJyBhbmQg
J3F1b3RlZWRpdC5waHAnLiBUaGVzZSB2dWxuZXJhYmlsaXRpZXMgY2FuIGJl
IGV4cGxvaXRlZCBieSB1c2luZyBhIFVSSSBzaW1pbGFyIHRvIHRoZSBvbmUg
YmVsb3c6DQogICAgaHR0cDovL3NlcnZlci5jb20vZW50cnlhZG1pbi5waHA/
ZXJyb3I9MSZlcnJvcm1lc3NhZ2U9PHNjcmlwdD5hbGVydCgneHNzJyk8L3Nj
cmlwdD4NCiAgICANCiAgICBJTVBBQ1Q6IExvdyAtIFRoZXNlIHZ1bG5lcmFi
aWxpdGllcyBtYXkgb25seSBiZSBleHBsb2l0ZWQgaWYgdGhlIHVzZXIgaXMg
Y3VycmVudGx5IGxvZ2dlZCBpbiB0byB0aGUgJ2VkaXRvcicNCiAgICBpbnRl
cmZhY2UsIGFuZCBhcyBzdWNoIG1heSBiZSBpbmNyZWRpYmx5IGhhcmQgdG8g
ZXhwbG9pdCBzdWNjZXNzZnVsbHkuDQoNClZVTE4gIzMNCiAgICBBIFNRTC1J
bmplY3Rpb24gdnVsbmVyYWJpbGl0eSBleGlzdHMgaW4gdGhlICdzaG91dHMu
cGhwJyBieSB1c2luZyB0aGUgdmFyaWFibGUgJ3Nob3V0bGltaXQnLg0KICAg
IEkgaGF2ZSBub3QgYmVlbiBhYmxlIHRvIHN1Y2Nlc2Z1bGx5IGV4cGxvaXQg
dGhpcyB2dWxuZXJhYmlsaXR5IHRvIGFueSBncmVhdCBleHRlbnQgdXNpbmcg
VU5JT04sIGFzIHRoZSBvcmlnaW5hbA0KICAgIHNjcmlwdCBxdWVyeSBhbHJl
YWR5IGluY2x1ZGVzIGEgJ29yZGVyIGJ5JyBzdGF0ZW1lbnQuIEhvd2V2ZXIs
IHRoZSBzZXZlcml0eSBvZiB0aGlzIHZ1bG4gaXMgc3RpbGwgcXVpdGUgbGFy
Z2UsIA0KICAgIGFuZCBpZiBhbnkgd2lzaGVzIHRvIHByb3ZpZGUgc29tZSBQ
T0MgY29kZSBmb3IgdGhpcywgcGxlYXNlIGxldCBtZSBrbm93ID0pDQogICAg
DQogICAgSU1QQUNUOiBTZXZlcmUgLSBTUUwtSW5qZWN0aW9uIHZ1bG5lcmFi
aWxpdGllcyBjYW4gYmUgdXNlZCB0byBvYnRhaW4gdXNlcm5hbWVzIGFuZCBw
YXNzd29yZHMgb2YgcHJldmVsaWdlZCBhY2NvdW50cw0KICAgIG9uIHRoZSB3
ZWJzaXRlLg0KDQpWVUxOICM0DQogICAgQW5vdGhlciBTUUwtSW5qZWN0aW9u
IHZ1bG5lcmFiaWxpdHkgZXhpc3RzIGluIHRoZSBjb21tZW50cy5waHAgc2Ny
aXB0LCB1c2luZyB0aGUgdmFyaWFibGUgJ2Jsb2dpZCcuDQogICAgQnkgc2Vu
ZGluZyBhIEhUVFAgJ1BPU1QnIHJlcXVlc3QgdG8gdGhlIGZpbGUgJ2NvbW1l
bnRzLnBocCcsIHdpdGggdGhlIHZhcmlhYmxlICdibG9naWQnIHNldCB0byB0
aGUgZXhwbG9pdCBzdHJpbmcgYmVsb3csDQogICAgYW4gYXR0YWNrZXIgY291
bGQgcG90ZW50aWFsbHkgb2J0YWluIGVuY3J5cHRlZCBwYXNzd29yZHMgZm9y
IGxhdGVyIGJydXRlLWZvcmNpbmcuDQogICAgVGhlIFNRTCBpbmplY3Rpb24g
dGhhdCBjb3VsZCBleHBsb2l0IHRoaXMgdnVsbmVyYWJpbGl0eSBpcyBkZW1v
bnN0cmF0ZWQgaGVyZToNCiAgICAgICAgMSBhbmQgJ2EnPSd6JyB1bmlvbiBz
ZWxlY3QgYmEuYXV0aG9yaWQsbmFtZSxwd2QsZW1haWwsdXJsLGJhLmFjdGl2
ZSxjb21tZW50cyxiZS5ibG9naWQgZnJvbSBibG9nX2F1dGhvcnMgYmEsIGJs
b2dfZW50cmllcyBiZSB3aGVyZSAnYSc9J2EnDQogICAgVGhpcyBzdHJpbmcg
bWFuaXB1bGF0ZXMgdGhlIFNRTCBxdWVyeSBpbnRvIGxvb2tpbmcgc29tZXRo
aW5nIGxpa2UgdGhpczoNCiAgICAgICAgc2VsZWN0IGJsb2dpZCxwcmV2aWV3
LGVudHJ5LGJlLmRhdGVlbnRlcmVkLHRpdGxlLHBhZ2V2aWV3cyx1c2VwcmV2
aWV3LG5hbWUgZnJvbSBibG9nX2VudHJpZXMgYmUgaW5uZXIgam9pbiBibG9n
X2F1dGhvcnMgYmEgb24gYmUuYXV0aG9yaWQ9YmEuYXV0aG9yaWQgDQogICAg
ICAgIHdoZXJlIGJsb2dpZD0xIGFuZCAnYSc9J3onIHVuaW9uIHNlbGVjdCBi
YS5hdXRob3JpZCxuYW1lLHB3ZCxlbWFpbCx1cmwsYmEuYWN0aXZlLGNvbW1l
bnRzLGJlLmJsb2dpZCBmcm9tIGJsb2dfYXV0aG9ycyBiYSwgYmxvZ19lbnRy
aWVzIGJlIHdoZXJlICdhJz0nYScgDQogICAgICAgIGFuZCBiZS5hY3RpdmU9
MQ0KICAgIFdoaWNoIHJldHVybnMgYSByZXN1bHQgc2V0IHRoYXQgbGlzdHMg
dGhlIHVzZXIgcmlnaHRzIG9mIHRoZSBmaXJzdCB1c2VyIGluIHRoZSBkYXRh
YmFzZSAodXN1YWxseSB0aGUgYWRtaW5pc3RyYXRvcikNCiAgICANCiAgICBJ
TVBBQ1Q6IENyaXRpY2FsIC0gVGhpcyB2dWxuZXJhYmlsaXR5IGNvdWxkIGFs
bG93IGZvciB0aGUgc3RlYWxpbmcgb2YgZW5jcnlwdGVkIHBhc3N3b3JkcyBm
cm9tIHRoZSBkYXRhYmFzZSwgDQogICAgd2hpY2ggdGhlbiBhbGxvd3MgdGhl
bSB0byBiZSBicnV0ZS1mb3JjZWQNCiAgICANClZVTE4gIzUNCiAgICBBIHRo
aXJkIFNRTC1JbmplY3Rpb24gdnVsbmVyYWJpbGl0eSBleGlzdHMgaW4gdGhl
IHNjcmlwdCAnZnVuY3Rpb25zLnBocCcgaW4gdGhlIG1ldGhvZCBibG9ncygp
IHdoZXJlIGEgU1FMIHF1ZXJ5IGlzIGJ1aWx0Lg0KICAgIChOb3RlOiBUaGUg
YWN0dWFsIHF1ZXJ5IGlzIGV4ZWN1dGVkIGluICd1c2VyZnVuY3Rpb25zLnBo
cCcsIG1ldGhvZCBzaG93YmxvZ3MoKSBpbiB0aGUgYXBwcm9wcmlhdGUgc2tp
bnMgZGlyZWN0b3J5KQ0KICAgIEJ5IHNlbmRpbmcgYSByZXF1ZXN0IHRvIHRo
ZSBzY3JpcHQgJ2NhdGVnb3J5LnBocCcsIG9uZSBjYW4gbWFuaXB1bGF0ZSB0
aGUgc3RyaW5nIGludG8gb3V0cHV0dGluZyBhbiBhdXRob3IgcGFzc3dvcmQu
DQogICAgVGhlIFNRTCBpbmplY3Rpb24gdGhhdCBjb3VsZCBleHBsb2l0IHRo
aXMgc3RyaW5nIGlzIHRodXM6DQogICAgICAgIDEgYW5kIDE9MiB1bmlvbiBz
ZWxlY3QgYmEuYXV0aG9yaWQsbmFtZSxwd2QsZW1haWwsdXJsLGJhLmFjdGl2
ZSxjb21tZW50cyxiZS5ibG9naWQsYmUucHJldmlldyBmcm9tIGJsb2dfYXV0
aG9ycyBiYSwgYmxvZ19lbnRyaWVzIGJlIHdoZXJlIDE9MQ0KICAgIFRoaXMg
d291bGQgbWFuaXB1bGF0ZSB0aGUgc3RyaW5nIGludG8gc29tZXRoaW5nIGxp
a2UgdGhpczoNCiAgICAgICAgc2VsZWN0IGJlLmJsb2dpZCxiZS5wcmV2aWV3
LGJlLmVudHJ5LGJlLmRhdGVlbnRlcmVkLGJlLnRpdGxlLGJlLnBhZ2V2aWV3
cyxiZS51c2VwcmV2aWV3LGJhLm5hbWUsYmUucGlubmVkIGZyb20gYmxvZ19l
bnRyaWVzIGJlIGlubmVyIGpvaW4gYmxvZ19hdXRob3JzIGJhIA0KICAgICAg
ICBvbiBiZS5hdXRob3JpZD1iYS5hdXRob3JpZCB3aGVyZSBjYXRpZD0xIGFu
ZCAxPTIgdW5pb24gc2VsZWN0IGJhLmF1dGhvcmlkLG5hbWUscHdkLGVtYWls
LHVybCxiYS5hY3RpdmUsY29tbWVudHMsYmUuYmxvZ2lkLGJlLnByZXZpZXcg
ZnJvbSBibG9nX2F1dGhvcnMgYmEsIA0KICAgICAgICBibG9nX2VudHJpZXMg
YmUgd2hlcmUgMT0xIGFuZCBiZS5hY3RpdmU9MSBvcmRlciBieSBiZS5kYXRl
ZW50ZXJlZCBkZXNjDQogICAgDQogICAgSU1QQUNUOiBDcml0aWNhbCAtIFRo
aXMgdnVsbmVyYWJpbGl0eSBtaWdodCBhbGxvdyBmb3IgdGhlIHN0ZWFsaW5n
IG9mIGVuY3J5cHRlZCBwYXNzd29yZCBzdHJpbmdzIGZyb20gdGhlIGRhdGFi
YXNlLg0K
------------=_1072223517-15021-0--
|
|
Go to the Top of This SecurityTracker Archive Page
|
