| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Aug 2010 19:52:50 +0300 From: Henri Salo <henri@...v.fi> To: full-disclosure@...ts.grok.org.uk Subject: Re: [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 23 Aug 2010 10:36:42 +0700 "Bkis" <minhbq@...v.com.vn> wrote: > [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog > > 1. General Information > > OpenBlog is a free software for developing blogging platform. > OpenBlog is written on PHP language and available at > http://www.open-blog.info. In August 2010, Bkis Security discovered > some XSS, CSRF vulnerabilities on this software; especially, there is > a vulnerability which might allow privilege elevation on OpenBlog > 1.2.1. Taking advantage of this vulnerability, hacker might execute > malicious code on user's browser or even get control of Blog. Bkis > has sent its warning to the developer. > > Details: http://security.bkis.com/?p=1382 > SVRT Advisory: Bkis-04-2010 > Initial vendor notification: 08/09/2010 > Release Date: 08/23/2010 > Update Date: 08/23/2010 > Discovered by: Duong Manh Linh, Truong Tu Hai, Nguyen Hoang Vinh - > Bkis Attack Type: Bypass Authentication, XSS, CSRF > Security Rating: High > Impact: Code Execution > Affected Software: Openblog< v1.2.1 > > 2. Technical Details > > The most dangerous vulnerability resides on session module of > OpenBlog. Exploiting this vulnerability, hacker can sign in a normal > user' account but obtain administrator' privileges. This is due to > the weakness in user's rights checking and authenticating mechanism, > resulting in the high possibility of faking administrators' > privileges. > > Besides, Bkis also found some XSS and CSRF vulnerabilities on the > following OpenBlog's functions: > > XSS holes are found on the following modules: > - Create a new post > - Edit a post > - Create a new page > > Because these modules' input variables are not adequately checked and > filtered, hacker might insert his code into the path's links. If a > user logins to his Blog and clicks the link, hacker's malicious code > (JavaScript) will be executed, leading to the loss of user's personal > information saved on the browser. > > CSRF vulnerabilities are found on the following modules: > - Edit an user > - Setting > - Templates > - Disable/Enable Sidebar > - Feed settings > - Bookmarking > - New post > - Edit a post > - Delete a post > - New page > - Edit a page > - Delete a page > - New navigation item > - Edit a navigation item > - New link > - Edit a link > - Delete a link > - New category > - Edit a category > - Delete a category > - Delete a comment > - Delete an user > > OpenBlog does not require user's confirmation when performing the > above functions. Therefore, users might be tricked into performing > unwanted actions without their consent, like clicking faulty links, > etc. Specifically, hacker might fool Blog's administrators into > deleting, editing the posts on the Blog. > > 3. Solution > > Rating the vulnerability as critical, Bkis recommends organizations, > individuals using OpenBlog be cautious with links of unknown origins. > At the same time, users should keep themselves updated with the > developer's information to get timely update. > > ---------------------------------------------------------------------------- > -- > Bkis (www.bkis.com) > Blog (blog.bkis.com) Do you have CVE-identifier for these vulnerabilities? Best regards, Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkxz+OIACgkQXf6hBi6kbk/YUgCfX6TdYIBlXQJe1gSPWZ6Ge/T5 2/oAoLyjKxthFwJXtznB7Eh5xnh/uxK9 =kNMK -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists