lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <000001cb4274$674b78b0$35e26a10$@bkav.com.vn>
Date: Mon, 23 Aug 2010 10:36:42 +0700
From: "Bkis" <minhbq@...v.com.vn>
To: <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Subject: [Bkis-04-2010] Multiple Vulnerabilities in
	OpenBlog

[Bkis-04-2010] Multiple Vulnerabilities in OpenBlog

1. General Information

OpenBlog is a free software for developing blogging platform. OpenBlog is
written on PHP language and available at http://www.open-blog.info. In
August 2010, Bkis Security discovered some XSS, CSRF vulnerabilities on this
software; especially, there is a vulnerability which might allow privilege
elevation on OpenBlog 1.2.1. Taking advantage of this vulnerability, hacker
might execute malicious code on user's browser or even get control of Blog.
Bkis has sent its warning to the developer.

Details: http://security.bkis.com/?p=1382
SVRT Advisory: Bkis-04-2010
Initial vendor notification: 08/09/2010
Release Date: 08/23/2010
Update Date: 08/23/2010
Discovered by: Duong Manh Linh, Truong Tu Hai, Nguyen Hoang Vinh - Bkis
Attack Type: Bypass Authentication, XSS, CSRF
Security Rating: High
Impact: Code Execution
Affected Software: Openblog< v1.2.1

2. Technical Details

The most dangerous vulnerability resides on session module of OpenBlog.
Exploiting this vulnerability, hacker can sign in a normal user' account but
obtain administrator' privileges. This is due to the weakness in user's
rights checking and authenticating mechanism, resulting in the high
possibility of faking administrators' privileges.   

Besides, Bkis also found some XSS and CSRF vulnerabilities on the following
OpenBlog's functions: 

XSS holes are found on the following modules: 
-	Create a new post 
-	Edit a post
-	Create a new page

Because these modules' input variables are not adequately checked and
filtered, hacker might insert his code into the path's links. If a user
logins to his Blog and clicks the link, hacker's malicious code (JavaScript)
will be executed, leading to the loss of user's personal information saved
on the browser.  

CSRF vulnerabilities are found on the following modules: 
-	Edit an user
-	Setting
-	Templates
-	Disable/Enable Sidebar  
-	Feed settings
-	Bookmarking
-	New post
-	Edit a post
-	Delete a post
-	New page
-	Edit a page
-	Delete a page
-	New navigation item
-	Edit a navigation item
-	New link
-	Edit a link
-	Delete a link
-	New category
-	Edit a category
-	Delete a category
-	Delete a comment
-	Delete an user

OpenBlog does not require user's confirmation when performing the above
functions. Therefore, users might be tricked into performing unwanted
actions without their consent, like clicking faulty links, etc.
Specifically, hacker might fool Blog's administrators into deleting, editing
the posts on the Blog.

3. Solution

Rating the vulnerability as critical, Bkis recommends organizations,
individuals using OpenBlog be cautious with links of unknown origins. At the
same time, users should keep themselves updated with the developer's
information to get timely update.

----------------------------------------------------------------------------
--
Bkis (www.bkis.com)
Blog (blog.bkis.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ