[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog
- From: Henri Salo <henri@xxxxxxx>
- Date: Tue, 24 Aug 2010 19:52:50 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 23 Aug 2010 10:36:42 +0700
"Bkis" <minhbq@xxxxxxxxxxx> wrote:
> [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog
>
> 1. General Information
>
> OpenBlog is a free software for developing blogging platform.
> OpenBlog is written on PHP language and available at
> http://www.open-blog.info. In August 2010, Bkis Security discovered
> some XSS, CSRF vulnerabilities on this software; especially, there is
> a vulnerability which might allow privilege elevation on OpenBlog
> 1.2.1. Taking advantage of this vulnerability, hacker might execute
> malicious code on user's browser or even get control of Blog. Bkis
> has sent its warning to the developer.
>
> Details: http://security.bkis.com/?p=1382
> SVRT Advisory: Bkis-04-2010
> Initial vendor notification: 08/09/2010
> Release Date: 08/23/2010
> Update Date: 08/23/2010
> Discovered by: Duong Manh Linh, Truong Tu Hai, Nguyen Hoang Vinh -
> Bkis Attack Type: Bypass Authentication, XSS, CSRF
> Security Rating: High
> Impact: Code Execution
> Affected Software: Openblog< v1.2.1
>
> 2. Technical Details
>
> The most dangerous vulnerability resides on session module of
> OpenBlog. Exploiting this vulnerability, hacker can sign in a normal
> user' account but obtain administrator' privileges. This is due to
> the weakness in user's rights checking and authenticating mechanism,
> resulting in the high possibility of faking administrators'
> privileges.
>
> Besides, Bkis also found some XSS and CSRF vulnerabilities on the
> following OpenBlog's functions:
>
> XSS holes are found on the following modules:
> - Create a new post
> - Edit a post
> - Create a new page
>
> Because these modules' input variables are not adequately checked and
> filtered, hacker might insert his code into the path's links. If a
> user logins to his Blog and clicks the link, hacker's malicious code
> (JavaScript) will be executed, leading to the loss of user's personal
> information saved on the browser.
>
> CSRF vulnerabilities are found on the following modules:
> - Edit an user
> - Setting
> - Templates
> - Disable/Enable Sidebar
> - Feed settings
> - Bookmarking
> - New post
> - Edit a post
> - Delete a post
> - New page
> - Edit a page
> - Delete a page
> - New navigation item
> - Edit a navigation item
> - New link
> - Edit a link
> - Delete a link
> - New category
> - Edit a category
> - Delete a category
> - Delete a comment
> - Delete an user
>
> OpenBlog does not require user's confirmation when performing the
> above functions. Therefore, users might be tricked into performing
> unwanted actions without their consent, like clicking faulty links,
> etc. Specifically, hacker might fool Blog's administrators into
> deleting, editing the posts on the Blog.
>
> 3. Solution
>
> Rating the vulnerability as critical, Bkis recommends organizations,
> individuals using OpenBlog be cautious with links of unknown origins.
> At the same time, users should keep themselves updated with the
> developer's information to get timely update.
>
> ----------------------------------------------------------------------------
> --
> Bkis (www.bkis.com)
> Blog (blog.bkis.com)
Do you have CVE-identifier for these vulnerabilities?
Best regards,
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkxz+OIACgkQXf6hBi6kbk/YUgCfX6TdYIBlXQJe1gSPWZ6Ge/T5
2/oAoLyjKxthFwJXtznB7Eh5xnh/uxK9
=kNMK
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/