CVE-2020-23356

7.5 HIGH

📋 TL;DR

This vulnerability allows attackers to bypass authentication in Nibbleblog by exploiting PHP type juggling. Attackers can log in as any user without valid credentials by submitting specially crafted password hashes. This affects all Nibbleblog installations running vulnerable versions.

💻 Affected Systems

Products:

• Nibbleblog

Versions: v3.7.1c and potentially earlier versions

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Any Nibbleblog installation with the vulnerable login.class.php file is affected regardless of configuration.

📦 What is this software?

Nibbleblog by Nibbleblog

View all CVEs affecting Nibbleblog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the blog system allowing attackers to gain administrative access, modify content, upload malicious files, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized access to the blog administration panel leading to content manipulation, defacement, or data theft.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass remains possible.

🌐 Internet-Facing: HIGH - This is a web application vulnerability that can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - While still exploitable, internal systems typically have additional security layers and monitoring.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is simple to exploit with publicly available proof-of-concept code. Attackers only need to send specially crafted login requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in GitHub repository via pull request #148

Vendor Advisory: https://github.com/dignajar/nibbleblog/pull/148

Restart Required: No

Instructions:

1. Download the patched login.class.php file from the GitHub pull request. 2. Replace the vulnerable file at /admin/kernel/api/login.class.php. 3. No restart required as PHP files are interpreted on each request.

🔧 Temporary Workarounds

Temporary code modification

linux

Manually edit the vulnerable file to replace '==' with '===' for password hash comparison

Copy

sed -i "s/\$password_hash == \$user_hash/\$password_hash === \$user_hash/g" /path/to/admin/kernel/api/login.class.php

🧯 If You Can't Patch

• Implement web application firewall (WAF) rules to block authentication bypass attempts
• Restrict access to the admin interface using IP whitelisting or VPN requirements

🔍 How to Verify

Check if Vulnerable:

Copy

Check if login.class.php contains '==' comparison for password hashes instead of '==='

Check Version:

Copy

Check Nibbleblog version in configuration files or admin panel

Verify Fix Applied:

Copy

Verify that login.class.php now uses '===' for password hash comparisons

📡 Detection & Monitoring

Log Indicators:

• Multiple failed login attempts with unusual hash values
• Successful logins from unexpected IP addresses

Network Indicators:

• HTTP POST requests to login endpoint with specially crafted password parameters

SIEM Query:

Copy

source="web_logs" AND (uri_path="/admin/index.php" OR uri_path="/admin/kernel/api/login.class.php") AND (status=200 OR status=302) AND user_agent NOT IN ["expected_user_agents"]

📊 Metadata

CVE ID: CVE-2020-23356

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Published: January 27, 2021

Last Updated: November 21, 2024

🔗 References

• https://github.com/dignajar/nibbleblog/pull/148 Third Party Advisory
• https://github.com/dignajar/nibbleblog/pull/148 Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON