[Full-disclosure] Quickblogger
Morning Wood
se_cur_ity at hotmail.com
Tue Jul 5 17:47:56 BST 2005
------------------------------------------------------------
- EXPL-A-2005-011 exploitlabs.com Advisory 040 -
------------------------------------------------------------
- QuickBlogger -
AFFECTED PRODUCTS
=================
QuickBlogger 1.4 ( and earlier )
http://www.jlwebworks.net/
OVERVIEW
========
QuickBlogger is a freeware flatfile php blog script
written to simplify updating your blog/website.
DETAILS
=======
1. XSS
Quickblog comments section does not properly filter
malicious script content. XSS my be inserted in the
author and comment body sections. The malicious script
is the rendered upon visitation and executed in the
context of the users brower.
POC
===
1.
------
insert script into the "your name" and or
the "comment" section.
SOLUTION:
=========
vendor contact:
webmaster at jlwebworks.net June 11, 2005
webmaster at jlwebworks.net June 21, 2005
no response recieved
Credits
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs
Donnie Werner
mail: wood at exploitlabs.com
mail: morning_wood at zone-h.org
--
web: http://exploitlabs.com
web: http://zone-h.org
http://exploitlabs.com/files/advisories/EXPL-A-2005-011-quickblogger.txt
Full-Disclosure is hosted and sponsored by Secunia.