[Bkis-04-2010] Multiple Vulnerabilities in OpenBlog

1. General Information

OpenBlog is a free software for developing blogging platform. OpenBlog is
written on PHP language and available at http://www.open-blog.info. In
August 2010, Bkis Security discovered some XSS, CSRF vulnerabilities on this
software; especially, there is a vulnerability which might allow privilege
elevation on OpenBlog 1.2.1. Taking advantage of this vulnerability, hacker
might execute malicious code on user's browser or even get control of Blog.
Bkis has sent its warning to the developer.

Details: http://security.bkis.com/?p=1382
SVRT Advisory: Bkis-04-2010
Initial vendor notification: 08/09/2010
Release Date: 08/23/2010
Update Date: 08/23/2010
Discovered by: Duong Manh Linh, Truong Tu Hai, Nguyen Hoang Vinh - Bkis
Attack Type: Bypass Authentication, XSS, CSRF
Security Rating: High
Impact: Code Execution
Affected Software: Openblog< v1.2.1

2. Technical Details

The most dangerous vulnerability resides on session module of OpenBlog.
Exploiting this vulnerability, hacker can sign in a normal user' account but
obtain administrator' privileges. This is due to the weakness in user's
rights checking and authenticating mechanism, resulting in the high
possibility of faking administrators' privileges.   

Besides, Bkis also found some XSS and CSRF vulnerabilities on the following
OpenBlog's functions: 

XSS holes are found on the following modules: 
-  Create a new post 
-  Edit a post
-  Create a new page

Because these modules' input variables are not adequately checked and
filtered, hacker might insert his code into the path's links. If a user
logins to his Blog and clicks the link, hacker's malicious code (JavaScript)
will be executed, leading to the loss of user's personal information saved
on the browser.  

CSRF vulnerabilities are found on the following modules: 
-  Edit an user
-  Setting
-  Templates
-  Disable/Enable Sidebar  
-  Feed settings
-  Bookmarking
-  New post
-  Edit a post
-  Delete a post
-  New page
-  Edit a page
-  Delete a page
-  New navigation item
-  Edit a navigation item
-  New link
-  Edit a link
-  Delete a link
-  New category
-  Edit a category
-  Delete a category
-  Delete a comment
-  Delete an user

OpenBlog does not require user's confirmation when performing the above
functions. Therefore, users might be tricked into performing unwanted
actions without their consent, like clicking faulty links, etc.
Specifically, hacker might fool Blog's administrators into deleting, editing
the posts on the Blog.

3. Solution

Rating the vulnerability as critical, Bkis recommends organizations,
individuals using OpenBlog be cautious with links of unknown origins. At the
same time, users should keep themselves updated with the developer's
information to get timely update.

----------------------------------------------------------------------------
--
Bkis (www.bkis.com)
Blog (blog.bkis.com)