pLog register.php XSS

2004-08-31T16:24:14
ID OSVDB:9437
Type osvdb
Reporter Jason Thistlethwaite(iadnah@lesrahpem.homelinux.org)
Modified 2004-08-31T16:24:14

Description

Vulnerability Description

pLog contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate username and blog variables upon submission to the register.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Modify source code to sanitize user input.

Short Description

pLog contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate username and blog variables upon submission to the register.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://sourceforge.net/projects/plog/ Security Tracker: 1011117 Secunia Advisory ID:12415 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1288.html