[VulnWatch] xss in blog system

• Previous message: hellNbak: "[VulnWatch] MS04-025 - Ignorance is truly bliss...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vulnwatch@vulnwatch.org
Date: Sat, 07 Aug 2004 02:15:32 +0000

i have discovered a xss bug in the blog system which will allow session
hijack
it affects all version of the blog tell 1.6 alpha
author didnt respond to my emails so i am posting it here
author site : www.pluggedout.com
proff on concept:
http://www.pluggedout.com/blog/blog_exec.php?action=remove_blog&blogid=>alert(document.cookie);</script>
workaround/fix:
either you delete the qurey line in the error page
or add a strip_tags();

_________________________________________________________________
Take charge with a pop-up guard built on patented Microsoft® SmartScreen
Technology
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
  Start enjoying all the benefits of MSN® Premium right now and get the
first two months FREE*.

• Previous message: hellNbak: "[VulnWatch] MS04-025 - Ignorance is truly bliss...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]