CVE-2017-17794

Vulnerability

The vulnerability resides in the validate_form_preferences function in admin/preferences.php of BlogoText through version 3.7.6. The function reads the email address from the POST request using filter_input(INPUT_POST, 'email') without applying the FILTER_VALIDATE_EMAIL filter [1][2]. When an invalid email is submitted (e.g., an empty string or a non-email value), the subsequent validation logic can be bypassed, allowing an attacker to modify preferences without proper authorization [1].

Exploitation

An attacker needs only network access to the BlogoText instance; no authentication is required because the vulnerable code path in the preferences form is accessible to unauthenticated users. By sending a crafted POST request to admin/preferences.php with the email parameter set to an invalid value (such as an empty string or a string that fails the regex check), the validation routine skips the intended access restriction checks, permitting unauthorized modification of preferences [1].

Impact

Successful exploitation allows an attacker to bypass access restrictions and alter application preferences, potentially leading to unauthorized configuration changes, disclosure of sensitive information, or further compromise of the application [1]. The exact privilege level achieved is limited to what the preferences form controls; however, the vulnerability is rated critical (CVSS 9.8) due to the ease of exploitation and lack of authentication required [1].

Mitigation

The fix was released in commit 256041d8cab2fdc50678f4d49d916fea25cdb4fd [2], which adds FILTER_VALIDATE_EMAIL to the filter_input call and updates the validation logic to handle null returns when the email is invalid [2]. Users should upgrade to a version that includes this commit or apply the patch manually. No workaround is provided; the vulnerability is not currently listed on the CISA KEV.