Sense of Security – Security Advisory – SOS-11-002
| Release Date. | 28-Feb-2011 |
| Last Update. | – |
| Vendor Notification Date. | 14-Oct-2010 |
| Product. | PHP Blog Insert |
| Platform. | Independent |
| Affected versions. | All releases up to and including version 1.0.2 |
| Severity Rating. | High |
| Impact. | Authentication security bypass |
| Attack Vector. | Remote without authentication |
| Solution Status. | No solution currently exists for this vulnerability |
| CVE reference. | CVE – Not yet assigned |
Details.
PHP Blog Insert is a simple blog engine designed to be inserted into an existing web site or application. It is written in PHP and uses a MySQL backend. The application is vulnerable to an authentication bypass attack due to flawed and predictable access control and session management logic. The application assumes a user is authenticated as an administrator if a cookie is present within a web browser that is named the MD5 hash of the text string “admin”. Successful exploitation of this vulnerability will result in an attacker gaining access to the administration functionality of the application without the use of valid credentials.
The software can be obtained from:
http://sourceforge.net/projects/php-blog-insert/
Proof of Concept.
Set a cookie within your browser for the appropriate path and domain of the vulnerable application with the name “21232f297a57a5a743894a0e4a801fc3” and any value.
Navigate to a page that contains restricted administration functionality within the application such as add_entry.php or register.php.
Solution.
The vendor has not responded to our repeated email notifications and a private blog post on the author’s blog.
An updated release of PHP Blog Insert that corrects this vulnerability is not available.
Discovered by.
Sense of Security Labs.