SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   ar-blog Vendors:   ar-blog.com
ar-blog Bugs Let Remote Users Bypass Authentication or Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015100
SecurityTracker URL:  http://securitytracker.com/id/1015100
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 25 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.2 and prior versions
Description:   A vulnerability was reported in ar-blog. A remote user can conduct cross-site scripting attacks. A remote user can also gain administrative access to the application.

The software does not properly filter HTML code from user-supplied input before displaying the input when adding a comment. A remote user can submit a specially crafted comment that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ar-blog software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can also set specially crafted cookies and then load the following URL to gain administrative access to the control panel:

http://[target]/admin

_MoHaJaLi_ discovered this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ar-blog software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can also gain administrative access to the application.

Solution:   No solution was available at the time of this entry. The vendor is working on a fix.
Vendor URL:  www.ar-blog.com/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Fwd: Vulnerability in Ar-blog ver 5.2 and prior

--===============2133589887==
Content-Type: multipart/alternative; 
	boundary="----=_Part_8379_16206211.1130194507267"

------=_Part_8379_16206211.1130194507267
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

---------- Forwarded message ----------
From: (M.o.H.a.J.a.L.i) <mohajali2k4@gmail.com>
Date: Oct 25, 2005 12:52 AM
Subject: Vulnerability in Ar-blog ver 5.2 and prior versions
To: bugtraq@securityfocus.com

Vulnerability in Ar-blog ver 5.2 and prior

Software: Ar-blog
Vulnerable versions: <=3D 5.2
Type: XSS, Login Bypass
Risk: Critical
Date: 23st October 2005
Vendor: ar-blog (http://www.ar-blog.com)

Credit:
=3D=3D=3D=3D=3D=3D=3D
These vulnerabilities were found by _MoHaJaLi_

Description:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ar-blog is a script that you can use to make your own blog...and it has man=
y
features that gives the ability to manage your blog easily...and it 100%
programmed by arabic programmer and the first arabic blog...

Vulnerability 1: XSS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
When adding a comment on a blog u can add the following as the
comment...which will be executed when anyone views the blog and shows the
cookies of the viewing user :
<script>alert(document.cookie);</script>


Vulnerability 2: Login Bypass
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
if u edit the cookies with some variables u can go to
www.site.com/admin<http://www.site.com/admin>
and u will be directed to the control panel without being asked for passwor=
d
P.S: all cookies has the same values...so if u just change the cookies for
the website u will be able login automaticly without a user or a pass
 Patches:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The Programmer is developing a new version of the program that solves these
issues...and it will be out soon.


Greetings:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Greets fly out to all people at www.lezr.com <http://www.lezr.com/>


--
(r).....M-o-H-a-J-a-L-i....(c)


--
(r).....Now I Am Become Death....The Destroyer Of Worlds....(c)

------=_Part_8379_16206211.1130194507267
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<br><br>---------- Forwarded message ----------<br><span class=3D"gmail_quo=
te">From: <b class=3D"gmail_sendername">(M.o.H.a.J.a.L.i)</b> &lt;<a href=
=3D"mailto:mohajali2k4@gmail.com">mohajali2k4@gmail.com</a>&gt;<br>Date: Oc=
t 25, 2005 12:52 AM
<br>Subject: Vulnerability in Ar-blog ver 5.2 and prior versions<br>To: <a =
href=3D"mailto:bugtraq@securityfocus.com">bugtraq@securityfocus.com</a><br>=
<br></span>
<div>Vulnerability in Ar-blog ver 5.2 and prior<br><br>Software: Ar-blog</d=
iv>
<div>Vulnerable versions: &lt;=3D 5.2<br>Type: XSS, Login Bypass<br>Risk: C=
ritical<br>Date: 23st October 2005<br>Vendor: ar-blog (<a onclick=3D"return=
 top.js.OpenExtLink(window,event,this)" href=3D"http://www.ar-blog.com/" ta=
rget=3D"_blank">
http://www.ar-blog.com</a>)<br><br>Credit:<br>=3D=3D=3D=3D=3D=3D=3D<br>Thes=
e vulnerabilities were found by _MoHaJaLi_ <br><br>Description:<br>=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>Ar-blog is a script that you can use to m=
ake your own blog...and it has many features that gives the ability to mana=
ge your blog easily...and it 100% programmed by arabic programmer and the f=
irst arabic blog...=20
<br><br>Vulnerability 1: XSS<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D<br>When adding a comment on a blog u can add the following as the comme=
nt...which will be executed when anyone views the blog and shows the cookie=
s of the&nbsp;viewing user&nbsp;:=20
</div>
<div>&lt;script&gt;alert(document.cookie);&lt;/script&gt;</div>
<div><br><br>Vulnerability 2: Login Bypass<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D<br>if u edit the cookies with some variables u can go to=
 <a onclick=3D"return top.js.OpenExtLink(window,event,this)" href=3D"http:/=
/www.site.com/admin" target=3D"_blank">
www.site.com/admin</a></div>
<div>and u will be directed to the control panel without being asked for pa=
ssword</div>
<div>P.S: all cookies has the same values...so if u just change the cookies=
 for the website u will be able login automaticly without a user or a pass<=
/div>
<div>&nbsp;</div>
<div>Patches:</div>
<div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>The Programmer is de=
veloping a new version of the program that solves these issues...and it wil=
l be out soon.</div>
<div><br><br>Greetings:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br=
>Greets fly out to all people at <a onclick=3D"return top.js.OpenExtLink(wi=
ndow,event,this)" href=3D"http://www.lezr.com/" target=3D"_blank">www.lezr.=
com</a>
<br><br clear=3D"all"><br>-- <br>&reg;.....M-o-H-a-J-a-L-i....&copy; </div>=
<br clear=3D"all"><br>-- <br>&reg;.....Now I Am Become Death....The Destroy=
er Of Worlds....&copy;=20

------=_Part_8379_16206211.1130194507267--

--===============2133589887==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============2133589887==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC