Simple PHP Blog Discloses Files to Remote Users and Lets Remote Users Create Directories
SecurityTracker Alert ID: 1012809|
SecurityTracker URL: http://securitytracker.com/id/1012809
(Links to External Site)
Updated: Jan 13 2005|
Original Entry Date: Jan 7 2005
Disclosure of system information, Disclosure of user information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 0.3.7c; possibly others|
Madelman reported an input validation vulnerability in Simple PHP Blog. A remote user can view certain files on the target system. A remote user can also create arbitrary directories on the target system.|
The software does not properly validate user-supplied input in the 'entry' parameter. A remote user can submit a specially crafted URL to view files that have a '.TXT' file extension. A demonstration exploit URL (to read '/etc/X11/rgb.txt') is provided:
A remote user can submit a POST request to the 'comment_add_cgi.php' script to create arbitrary directories on the target system with the privileges of the target web service. A demonstration exploit POST entry value is provided:
The contents of the submitted comment will be placed in the directory.
The vendor was notified on January 2, 2005.
A remote user can view files on the target system.that have a '.TXT' file extension.|
A remote user can create arbitrary directories on the target system.
The vendor has issued a fixed version (0.3.7r2), available at:|
Vendor URL: www.bigevilbrain.com/sphpblog/ (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: Simple PHP Blog directory traversal vulnerability|
-----BEGIN PGP SIGNED MESSAGE-----
Title: Simple PHP Blog directory traversal vulnerability
Vulnerability discovery: Madelman <madelman AT iname.com>
I started this project because I wanted a dead-simple blog. Something
that didn't require a database, used flat text files, and looked nice.
The main advantage of using Simple PHP Blog is that it only requires PHP
4 (or greater) and write permission on the server. Unlike other blog
software, there is almost no setup - just unzip and copy...
(from vendor site: http://www.bigevilbrain.com/sphpblog/)
SPHPBlog doesn't check the entry parameter which allows directory traversal
This vulnerability has been tested with SPHPBlog 0.3.7c
We can read any file with TXT extension (in this example /etc/X11/rgb.txt)
returns the content of the file
We can create arbitrary folders in the filesystem and the content of the
post will be saved in this folder.
To create folder http://[SERVER]/sphpblog/createdir/
REQUEST (this must be a POST request and we must modify entry parameter):
Update to latest version (at this moment 0.3.7r2)
02/01/2005 - Vulnerability found
02/01/2005 - Vendor contacted
02/01/2005 - Vendor confirmed and implemented a patch for the first vuln
04/01/2005 - Vendor implemented a patch for the second vuln
07/01/2005 - Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----