Re: [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog

[Henri Salo <henri () nerv fi>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 23 Aug 2010 10:36:42 +0700
"Bkis" <minhbq () bkav com vn> wrote:

> [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog
>
> 1. General Information
>
> OpenBlog is a free software for developing blogging platform.
> OpenBlog is written on PHP language and available at
> http://www.open-blog.info. In August 2010, Bkis Security discovered
> some XSS, CSRF vulnerabilities on this software; especially, there is
> a vulnerability which might allow privilege elevation on OpenBlog
> 1.2.1. Taking advantage of this vulnerability, hacker might execute
> malicious code on user's browser or even get control of Blog. Bkis
> has sent its warning to the developer.
>
> Details: http://security.bkis.com/?p=1382
> SVRT Advisory: Bkis-04-2010
> Initial vendor notification: 08/09/2010
> Release Date: 08/23/2010
> Update Date: 08/23/2010
> Discovered by: Duong Manh Linh, Truong Tu Hai, Nguyen Hoang Vinh -
> Bkis Attack Type: Bypass Authentication, XSS, CSRF
> Security Rating: High
> Impact: Code Execution
> Affected Software: Openblog< v1.2.1
>
> 2. Technical Details
>
> The most dangerous vulnerability resides on session module of
> OpenBlog. Exploiting this vulnerability, hacker can sign in a normal
> user' account but obtain administrator' privileges. This is due to
> the weakness in user's rights checking and authenticating mechanism,
> resulting in the high possibility of faking administrators'
> privileges.   
>
> Besides, Bkis also found some XSS and CSRF vulnerabilities on the
> following OpenBlog's functions: 
>
> XSS holes are found on the following modules: 
> -     Create a new post 
> -     Edit a post
> -     Create a new page
>
> Because these modules' input variables are not adequately checked and
> filtered, hacker might insert his code into the path's links. If a
> user logins to his Blog and clicks the link, hacker's malicious code
> (JavaScript) will be executed, leading to the loss of user's personal
> information saved on the browser.  
>
> CSRF vulnerabilities are found on the following modules: 
> -     Edit an user
> -     Setting
> -     Templates
> -     Disable/Enable Sidebar  
> -     Feed settings
> -     Bookmarking
> -     New post
> -     Edit a post
> -     Delete a post
> -     New page
> -     Edit a page
> -     Delete a page
> -     New navigation item
> -     Edit a navigation item
> -     New link
> -     Edit a link
> -     Delete a link
> -     New category
> -     Edit a category
> -     Delete a category
> -     Delete a comment
> -     Delete an user
>
> OpenBlog does not require user's confirmation when performing the
> above functions. Therefore, users might be tricked into performing
> unwanted actions without their consent, like clicking faulty links,
> etc. Specifically, hacker might fool Blog's administrators into
> deleting, editing the posts on the Blog.
>
> 3. Solution
>
> Rating the vulnerability as critical, Bkis recommends organizations,
> individuals using OpenBlog be cautious with links of unknown origins.
> At the same time, users should keep themselves updated with the
> developer's information to get timely update.
>
> ----------------------------------------------------------------------------
> --
> Bkis (www.bkis.com)
> Blog (blog.bkis.com)

Do you have CVE-identifier for these vulnerabilities?

Best regards,
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkxz+OIACgkQXf6hBi6kbk/YUgCfX6TdYIBlXQJe1gSPWZ6Ge/T5
2/oAoLyjKxthFwJXtznB7Eh5xnh/uxK9
=kNMK
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/