Grayscale Blog 0.8.0 - Security Bypass / SQL Injection / Cross-Site Scripting









# Security Advisory - Multiple Vulnerabilities in Grayscale Blog 0.8.0 #

Date            : 2007-02-24
Product         : Grayscale Blog
Version         : 0.8.0 - Prior version maybe also be affected
Vendor          : -

Vendor Status   : 2007-02-24 -> Not Informed!
                  2007-03-02 -> Contacted, waiting reply!
                  2007-03-09 -> Vendor never replyed

Source          : omnipresent - omni
E-mail          : omnipresent[at]email[dot]it

Google Dork     : "Powered by Grayscale Blog"

Security Issues :

1.) Security Query Bypass: [TESTED]

A user can do lots of stuff with some php scripts located in the directory "/scripts/", for example:

add_user.php - Security Bypass

// $user_id=$_REQUEST['user_id']; // not used
// $user_date_added=$_REQUEST['user_date_added']; // not used
// $user_lastmod=$_REQUEST['user_lastmod']; // not used

// define the query
$query = "INSERT INTO blog_users (user_loginname, user_password, user_real_name, user_email, user_date_added, user_lastmod, user_permissions, user_added_by, user_lastmod_by, user_allow )
           values ('$user_loginname', '$user_password', '$user_real_name', '$user_email', NOW(), NOW(), '$user_permissions', '$user_added_by', '$user_lastmod_by', '$user_allow')";

As you can see the code there are no security restriction for any users!! Everyone can add a user with Administrator Privilege ($user_permissions = 3).

Other files affected by some security issues, like the above, are:




And you have admin rights!

2.) XSS Vulnerability: [TESTED]

Security issue in the following files:

-"/scripts/addblog_comment.php" -> variables are not properly sanitized before being used in the query string
-"detail.php" -> variables are not properly sanitized before being used in the query string (query2 -> blog_comments)


You can put in the comment fields the following script:


3.) SQL Injection vulnerability: [NOT TESTED]

In lots of files variables are not properly sanitized before being used, these files are, for example:

-userdetail.php -> id variable
-jump.php       -> id variable and url variable for our redirect
-detail.php     -> id variable


http://vulnerable_server/path/detail.php?id=1;[SQL INJECTION]

.:. Patches:

0x0 No vendor patches released!
0x1 Edit the source code to ensure that input is properly verified.

# [2007-03-09]