MyST BlogSite URL Redirect / Information Leakage

`===============================  
MyST BlogSite | Multiple Vulnerabilities  
===============================  
  
  
1. VULNERABILITY DESCRIPTION  
  
  
--> Issue Title: Arbitrary URL Redirect  
Component: MyST BlogSite ClickDirector  
  
Ref: OWASP - Top 10 - 2010 - A10  
Ref-Link: https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards  
  
Proof-Of-Concept:  
http://blogsite.com/public/click/~sites/attacker.in/malware_exists_in_this_page/  
http://blog.cenzic.com/public/click/~sites/attacker.in/malware_exists_in_this_page/  
[FIXED]  
  
  
--> Issue Title: Information Leakage   
Ref: WASC-13  
Ref-Link: http://projects.webappsec.org/w/page/13246936/Information-Leakage  
  
This could be used to brute force (http://blogsite.com/login)  
  
Proof-Of-Concept:  
http://blogsite.com/public/mostl/1  
http://blogsite.com/public/mostl/2  
http://blogsite.com/public/my-account/1  
http://blogsite.com/public/my-account/2  
http://blogsite.com/public/object/1  
http://blogsite.com/public/object/2  
http://blogsite.com/public/object/3  
  
  
--> Issue Title: Arbitrary Text Insertion  
  
This could be used to deliver defamatory message to unaware users.  
  
Proof-of-Concept:  
http://blogsite.com/public/mostl-action/1?action=Browse&text=This%20blog%20was%200wned!  
  
  
  
2. VENDOR  
  
MyST Technology Partners, Inc.  
http://myst-technology.com/  
  
  
4. DISCLOSURE TIME-LINE  
  
2011-04-17: reported vendor  
2011-07-16: vulnerability found unfixed  
2011-07-16: vulnerability disclosed   
  
  
5. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/[MyST_BlogSite]_vulnerabilities_2011-07  
  
#yehg [2011-07-16]  
  
`