blogBuddies index.php u Variable XSS

2005-11-25T08:33:15
ID OSVDB:21111
Type osvdb
Reporter ][GB][(gb.network@gmail.com)
Modified 2005-11-25T08:33:15

Description

Vulnerability Description

blogBuddies contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'u' variable upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, trumpetboy8282 has released a patch to address this vulnerability.

Short Description

blogBuddies contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'u' variable upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://sourceforge.net/projects/blogbuddies/ Vendor Specific Advisory URL Security Tracker: 1015264 Secunia Advisory ID:17741 Related OSVDB ID: 21112 Related OSVDB ID: 21113 Related OSVDB ID: 21643 CVE-2005-3954 Bugtraq ID: 15555