Simple PHP Blog Multiple Vulnerabilities

Secure Network - Security Research Advisory

Vuln name: Simple PHP Blog Multiple Vulnerabilities
Systems affected: simplePHPBlog 0.5.0.1, simplePHPBlog 0.4.8 and all previous 
versions
Systems not affected: -
Severity: Medium
Local/Remote: Remote
Vendor URL: http://www.simplephpblog.com/
Author(s): Luca "ikki" Carettoni - luca.carettoni@securenetwork.it, Luca 
"Daath" De Fulgentis - daath@webapptest.org
Vendor disclosure: 14th September 2007
Vendor acknowledged: 14th September 2007
Vendor patch release: 23rd September 2007
Public disclosure: 25th September 2007
Advisory number: SN-2007-03
Advisory URL: http://www.securenetwork.it/advisories/

*** SUMMARY ***

Simple PHP Blog is a blogging application that was written with simplicity of 
installation and maintenance in mind.
Unlike other blog software, there is almost no setup because it uses flat text 
files.

Multiple vulnerabilities have been reported in the latest version of this web 
application; probably all previous versions are affected to the same issues.
The specific issues include multiple cross-site scripting flaws and an 
arbitrary file upload vulnerability.
Various consequences are associated with these issues, such as theft of 
cookie-based authentication credentials and arbitrary remote code execution.

In order to exploit the arbitrary file upload vulnerability, a regular user 
should be authenticated. It should be noted that the latest versions of the 
application haven't multiple users support. Anyway, exploiting the XSS flaw is 
possible to steal the authentication token and then exploit the other 
vulnerability in order to execute arbitrary code (such a PHP shell).

*** VULNERABILITY DETAILS ***

(a) Cross Site Scripting (XSS)
Mutiple reflected XSS have been found in the "\themes\<themes 
name>\user_style.php" file. 

Looking inside the application source code:
###### CUT HERE ######
<style type="text/css">
body {
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>;
###### CUT HERE ######

It's easy to see that the "user_colors[bg_color]" is not validated and it's 
used directly inside an echo function.
Sending a trivial HTTP request against PHP environments having register global 
ON is possible to exploit this unvalidated user input flaw.
In detail, It's necessary to append a close HTML tag </style> before the 
malicious JavaScript code.

The same problem arises in different point of the same script, for each 
different theme template:

background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;
background-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;
border-color: #<?php echo( $user_colors[ 'border_color' ] ); ?>;
border-color: #<?php echo( $user_colors[ 'border_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'header_txt_color' ] ); ?>;
background-color: #<?php echo( $user_colors[ 'header_bg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'footer_txt_color' ] ); ?>;
background: #<?php echo( $user_colors[ 'footer_bg_color' ] ); ?>;
border-top: 1px solid #<?php echo( $user_colors[ 'border_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'headline_txt_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'headline_txt_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'date_txt_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'date_txt_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'entry_text' ] ); ?>;
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;
border-color: #<?php echo( $user_colors[ 'entry_text' ] ); ?>;
border-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'link_reg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'link_hi_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'link_down_color' ] ); ?>;
border-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;

(b) Arbitrary File Upload Vulnerability
Simple PHP Blog is prone to an arbitrary file upload flaw because the 
application fails to check the upload denied files.
In the file "upload_img_cgi.php" there's the following file content/extension 
check:

###### CUT HERE ######
if ( @getimagesize($_FILES['userfile']['tmp_name']) == FALSE ){
                                echo('Image is not valid or not an image 
file.');
                                exit;
                                // redirect_to_url( 'upload_img.php' );
}
###### CUT HERE ######
                        $upload_denied_extentions = array( "exe", "pl", "php", 
"php3", "php4", "php5", "phps", "asp","cgi", "html", "htm", "dll", "bat", "cmd" 
);
                        $extension = strtolower(substr(strrchr($uploadfile, 
"."), 1));
                        foreach ($upload_denied_extentions AS 
$denied_extention) {
                                if($denied_extention == $extension) {
                                        echo('That filetype is not allowed');
                                        exit;
}}
###### CUT HERE ######

Using a fake GIF image is possible to bypass the image content control and the 
file extension check. 
Creating a file called "exploit.php." with the following content:

GIF89aD
<?php phpinfo(); ?>

An attacker could upload the script on the "/images" directory inside the 
application dir on the webserver. 
Thanks to "by-design" behaviors of Apache httpd mod_mime parsing files with 
multiple extensions, it's possible to execute the uploaded script. 
In Microsoft Windows server environment it's possible too, due to the filename 
with multiple dot handling.

Exploiting this issue could allow an attacker to upload and execute arbitrary 
script code in the context of the affected webserver process. 

*** EXPLOIT ***

Attackers may exploit this issue through a browser.

*** FIX INFORMATION ***

http://www.simplephpblog.com/index.php?entry=entry070923-004446

*********************
*** LEGAL NOTICES ***
*********************

Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.

We are committed to open, full disclosure of vulnerabilities, cooperating
with software developers for properly handling disclosure issues.

This advisory is copyright © 2007 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.

E-mail: securenetwork@securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 0363 560 402