Secure Network - Security Research Advisory Vuln name: Simple PHP Blog Multiple Vulnerabilities Systems affected: simplePHPBlog 0.5.0.1, simplePHPBlog 0.4.8 and all previous versions Systems not affected: - Severity: Medium Local/Remote: Remote Vendor URL: http://www.simplephpblog.com/ Author(s): Luca "ikki" Carettoni - [EMAIL PROTECTED], Luca "Daath" De Fulgentis - [EMAIL PROTECTED] Vendor disclosure: 14th September 2007 Vendor acknowledged: 14th September 2007 Vendor patch release: 23rd September 2007 Public disclosure: 25th September 2007 Advisory number: SN-2007-03 Advisory URL: http://www.securenetwork.it/advisories/
*** SUMMARY *** Simple PHP Blog is a blogging application that was written with simplicity of installation and maintenance in mind. Unlike other blog software, there is almost no setup because it uses flat text files. Multiple vulnerabilities have been reported in the latest version of this web application; probably all previous versions are affected to the same issues. The specific issues include multiple cross-site scripting flaws and an arbitrary file upload vulnerability. Various consequences are associated with these issues, such as theft of cookie-based authentication credentials and arbitrary remote code execution. In order to exploit the arbitrary file upload vulnerability, a regular user should be authenticated. It should be noted that the latest versions of the application haven't multiple users support. Anyway, exploiting the XSS flaw is possible to steal the authentication token and then exploit the other vulnerability in order to execute arbitrary code (such a PHP shell). *** VULNERABILITY DETAILS *** (a) Cross Site Scripting (XSS) Mutiple reflected XSS have been found in the "\themes\<themes name>\user_style.php" file. Looking inside the application source code: ###### CUT HERE ###### <style type="text/css"> body { background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>; color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>; ###### CUT HERE ###### It's easy to see that the "user_colors[bg_color]" is not validated and it's used directly inside an echo function. Sending a trivial HTTP request against PHP environments having register global ON is possible to exploit this unvalidated user input flaw. In detail, It's necessary to append a close HTML tag </style> before the malicious JavaScript code. The same problem arises in different point of the same script, for each different theme template: background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>; color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>; color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>; background-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>; border-color: #<?php echo( $user_colors[ 'border_color' ] ); ?>; border-color: #<?php echo( $user_colors[ 'border_color' ] ); ?>; color: #<?php echo( $user_colors[ 'header_txt_color' ] ); ?>; background-color: #<?php echo( $user_colors[ 'header_bg_color' ] ); ?>; color: #<?php echo( $user_colors[ 'footer_txt_color' ] ); ?>; background: #<?php echo( $user_colors[ 'footer_bg_color' ] ); ?>; border-top: 1px solid #<?php echo( $user_colors[ 'border_color' ] ); ?>; color: #<?php echo( $user_colors[ 'headline_txt_color' ] ); ?>; color: #<?php echo( $user_colors[ 'headline_txt_color' ] ); ?>; color: #<?php echo( $user_colors[ 'date_txt_color' ] ); ?>; color: #<?php echo( $user_colors[ 'date_txt_color' ] ); ?>; color: #<?php echo( $user_colors[ 'entry_text' ] ); ?>; background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>; border-color: #<?php echo( $user_colors[ 'entry_text' ] ); ?>; border-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>; color: #<?php echo( $user_colors[ 'link_reg_color' ] ); ?>; color: #<?php echo( $user_colors[ 'link_hi_color' ] ); ?>; color: #<?php echo( $user_colors[ 'link_down_color' ] ); ?>; border-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>; (b) Arbitrary File Upload Vulnerability Simple PHP Blog is prone to an arbitrary file upload flaw because the application fails to check the upload denied files. In the file "upload_img_cgi.php" there's the following file content/extension check: ###### CUT HERE ###### if ( @getimagesize($_FILES['userfile']['tmp_name']) == FALSE ){ echo('Image is not valid or not an image file.'); exit; // redirect_to_url( 'upload_img.php' ); } ###### CUT HERE ###### $upload_denied_extentions = array( "exe", "pl", "php", "php3", "php4", "php5", "phps", "asp","cgi", "html", "htm", "dll", "bat", "cmd" ); $extension = strtolower(substr(strrchr($uploadfile, "."), 1)); foreach ($upload_denied_extentions AS $denied_extention) { if($denied_extention == $extension) { echo('That filetype is not allowed'); exit; }} ###### CUT HERE ###### Using a fake GIF image is possible to bypass the image content control and the file extension check. Creating a file called "exploit.php." with the following content: GIF89aD <?php phpinfo(); ?> An attacker could upload the script on the "/images" directory inside the application dir on the webserver. Thanks to "by-design" behaviors of Apache httpd mod_mime parsing files with multiple extensions, it's possible to execute the uploaded script. In Microsoft Windows server environment it's possible too, due to the filename with multiple dot handling. Exploiting this issue could allow an attacker to upload and execute arbitrary script code in the context of the affected webserver process. *** EXPLOIT *** Attackers may exploit this issue through a browser. *** FIX INFORMATION *** http://www.simplephpblog.com/index.php?entry=entry070923-004446 ********************* *** LEGAL NOTICES *** ********************* Secure Network (www.securenetwork.it) is an information security company, which provides consulting and training services, and engages in security research and development. We are committed to open, full disclosure of vulnerabilities, cooperating with software developers for properly handling disclosure issues. This advisory is copyright © 2007 Secure Network S.r.l. Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. It may not be edited in any way without the express consent of Secure Network S.r.l. Permission is explicitly given for insertion in vulnerability databases and similars, provided that due credit is given to Secure Network The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community by Secure Network research staff. There are no warranties with regard to this information. Secure Network does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. If you have any comments or inquiries, or any issue with what is reported in this advisory, please inform us as soon as possible. E-mail: [EMAIL PROTECTED] GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc Phone: +39 0363 560 402