Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   Simple PHP Blog Vendors:   Palmo, Alexander
Simple PHP Blog Discloses Files to Remote Users and Lets Remote Users Create Directories
SecurityTracker Alert ID:  1012809
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 13 2005
Original Entry Date:  Jan 7 2005
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.3.7c; possibly others
Description:   Madelman reported an input validation vulnerability in Simple PHP Blog. A remote user can view certain files on the target system. A remote user can also create arbitrary directories on the target system.

The software does not properly validate user-supplied input in the 'entry' parameter. A remote user can submit a specially crafted URL to view files that have a '.TXT' file extension. A demonstration exploit URL (to read '/etc/X11/rgb.txt') is provided:


A remote user can submit a POST request to the 'comment_add_cgi.php' script to create arbitrary directories on the target system with the privileges of the target web service. A demonstration exploit POST entry value is provided:


The contents of the submitted comment will be placed in the directory.

The vendor was notified on January 2, 2005.

Impact:   A remote user can view files on the target system.that have a '.TXT' file extension.

A remote user can create arbitrary directories on the target system.

Solution:   The vendor has issued a fixed version (0.3.7r2), available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  Simple PHP Blog directory traversal vulnerability

Hash: SHA1

Title: Simple PHP Blog directory traversal vulnerability
Vulnerability discovery: Madelman <madelman AT>
Date: 02/01/2005
Severity: Moderate

- --------

I started this project because I wanted a dead-simple blog. Something
that didn't require a database, used flat text files, and looked nice.

The main advantage of using Simple PHP Blog is that it only requires PHP
4 (or greater) and write permission on the server. Unlike other blog
software, there is almost no setup - just unzip and copy...
(from vendor site:

SPHPBlog doesn't check the entry parameter which allows directory traversal

This vulnerability has been tested with SPHPBlog 0.3.7c

- --------

We can read any file with TXT extension (in this example /etc/X11/rgb.txt)


returns the content of the file

We can create arbitrary folders in the filesystem and the content of the
post will be saved in this folder.

To create folder http://[SERVER]/sphpblog/createdir/

REQUEST (this must be a POST request and we must modify entry parameter):
~    entry=../../../createdir

- --------

Update to latest version (at this moment 0.3.7r2)

- --------

02/01/2005 - Vulnerability found
02/01/2005 - Vendor contacted
02/01/2005 - Vendor confirmed and implemented a patch for the first vuln
04/01/2005 - Vendor implemented a patch for the second vuln
07/01/2005 - Advisory released
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC