Multiple vulnerabilities have been discovered in Ninja Blog, which can be exploited by malicious people to disclose system information, conduct cross-site scripting attacks, and disclose potentially sensitive information.

1) Input passed to the "cat" and "p" parameters in entries/index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

2) Input passed via the URL to index.php and xml.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed to the "cat", "p", and "archive" parameters in index.php is not properly verified before being used to read files. This can be exploited to display files with "txt" extension from local resources via directory traversal attacks.

The vulnerabilities are confirmed in version 4.8. Other versions may also be affected.

Solution
Edit the source code to ensure that input is properly verified and sanitised.

Provided and/or discovered by
1) Danny Moules and indoushka
2) Moudi
3) An anonymous person

Changelog
Further details available in Customer Area

Original Advisory
Danny Moules:
http://www.push55.co.uk/index.php?s=ad&id=6
https://www.push55.co.uk/poclibrary/ninjadesignscouk-1.txt

Moudi:
http://packetstormsecurity.org/0908-exploits/ninjablog-xss.txt

indoushka:
http://www.exploit-db.com/exploits/10991

Deep Links
Links available in Customer Area