[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VulnWatch] xss in blog system

To: vulnwatch@xxxxxxxxxxxxx
Subject: [VulnWatch] xss in blog system
From: "befcake beefy" <befcake@xxxxxxxxxxx>
Date: Sat, 07 Aug 2004 02:15:32 +0000

i have discovered a xss bug in the blog system which will allow session hijack it affects all version of the blog tell 1.6 alpha author didnt respond to my emails so i am posting it here author site : www.pluggedout.com proff on concept: http://www.pluggedout.com/blog/blog_exec.php?action=remove_blog&blogid=<script>alert(document.cookie);</script> workaround/fix: either you delete the qurey line in the error page or add a strip_tags();

_________________________________________________________________ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.

Prev by Date: [VulnWatch] MS04-025 - Ignorance is truly bliss....
Next by Date: [VulnWatch] CORE-2004-0714: Cfengine RSA Authentication Heap Corruption
Previous by thread: [VulnWatch] MS04-025 - Ignorance is truly bliss....
Next by thread: [VulnWatch] CORE-2004-0714: Cfengine RSA Authentication Heap Corruption
Index(es):
- Date
- Thread