Plogger index.php Multiple Variable XSS

2005-12-13T18:08:03
ID OSVDB:21711
Type osvdb
Reporter r0t(krustevs@googlemail.com)
Modified 2005-12-13T18:08:03

Description

Vulnerability Description

Plogger contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'level' and 'searchterms' variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Plogger contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'level' and 'searchterms' variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

/index.php?level=%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E /index.php?level=search&searchterms=%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E

References:

Vendor URL: http://www.plogger.org/ Security Tracker: 1015380 Related OSVDB ID: 21710 Other Advisory URL: http://pridels.blogspot.com/2005/12/plogger-sqlxss-vuln.html CVE-2005-4246 Bugtraq ID: 15839