[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Quickblogger

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Quickblogger
From: "Morning Wood" <se_cur_ity@xxxxxxxxxxx>
Date: Tue, 5 Jul 2005 09:47:56 -0700

------------------------------------------------------------
    - EXPL-A-2005-011 exploitlabs.com Advisory 040 -
------------------------------------------------------------
                                   - QuickBlogger -






AFFECTED PRODUCTS
=================
QuickBlogger 1.4 ( and earlier )
http://www.jlwebworks.net/



OVERVIEW
========
QuickBlogger is a freeware flatfile php blog script
 written to simplify updating your blog/website.




DETAILS
=======
1. XSS

Quickblog comments section does not properly filter
malicious script content. XSS my be inserted in the
author and comment body sections. The malicious script
is the rendered upon visitation and executed in the
context of the users brower.




POC
===

1.
------

insert script into the "your name" and or
the "comment" section.




SOLUTION:
=========
vendor contact:
webmaster@xxxxxxxxxxxxxx June 11, 2005
webmaster@xxxxxxxxxxxxxx June 21, 2005

no response recieved



Credits
=======
This vulnerability was discovered and researched by 
Donnie Werner of exploitlabs

Donnie Werner

mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

http://exploitlabs.com/files/advisories/EXPL-A-2005-011-quickblogger.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] RE: Tools accepted by the courts
Next by Date: [Full-disclosure] Forensic evidence pros and cons
Previous by thread: [Full-disclosure] DRUPAL-SA-2005-002 exploit
Next by thread: [Full-disclosure] Forensic evidence pros and cons
Index(es):
- Date
- Thread