myBloggie delcomment.php Arbitrary Comment Deletion

2005-05-05T06:44:30
ID OSVDB:16361
Type osvdb
Reporter Alberto Trivero(trivero@jumpy.it)
Modified 2005-05-05T06:44:30

Description

Vulnerability Description

myBloggie contains a flaw that may allow a remote attacker to delete blog content. The issue is due to the 'index.php' script not properly authenticating delete requests.

Solution Description

Upgrade to version 2.1.2 or higher, as it has been reported to fix this vulnerability. In addition, myWebland has released a patch for some older versions.

Short Description

myBloggie contains a flaw that may allow a remote attacker to delete blog content. The issue is due to the 'index.php' script not properly authenticating delete requests.

Manual Testing Notes

http://[victim]/mybloggie/index.php?mode=delcom&comment_id=[comment_id]&confirm=yes

References:

Vendor URL: http://www.mywebland.com/ Vendor Specific Solution URL: http://mywebland.com/forums/viewtopic.php?t=180 Related OSVDB ID: 16360 Related OSVDB ID: 16359 Related OSVDB ID: 16362 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0049.html ISS X-Force ID: 20437 CVE-2005-1499