Lucene search

K

zeroblogXSS.txt

🗓️ 12 Oct 2005 00:00:00Reported by trueend5Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

ZeroBlog software XSS vulnerability in 'thread.php' allows remote attackers to launch malicious attacks using URL decode. No vendor-supplied patch availabl

Show more
Code
`Software: ZeroBlog  
Vendor: http://www.sothq.net  
Version: 1.2a , 1.1f  
Bug: XSS  
Exploitation: Remote  
---------------------------  
Introduction:  
Zeroblog: Feature ritch weblog, d-board, live webcam  
(option, and requires 3th party software), calendar,  
poll system, photogallery, smileys, search engine, 80%  
customizable and many more... most pages and modules  
can be switched on and off, custom text fields and  
more!!   
---------------------------  
vulnerability:  
XSS Vulnerability in 'thread.php' that may allow a  
remote user to launch cross-site scripting attacks  
Using URL decode.  
This issue could permit a remote attacker to create a  
malicious URI link that includes hostile HTML and  
script code. If this link were to be followed, the  
hostile code may be rendered in the web browser of the  
victim user. This would occur in the security context  
of the affected Web site and may allow for theft of  
cookie-based authentication credentials or other  
attacks.  
  
----------------------------  
Demonstration URL:  
http://example.com/thread.php?threadID='%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E  
-----------------------------  
Solution:  
There is no vendor-supplied patch for this issue at  
this time.  
-------------------------------  
Credits:  
Discovered & released by trueend5  
Security Science Researchers Institute Of Iran  
[KAPDA.ir]  
Original Advisory:  
http://irannetjob.com/content/view/141/28/  
  
  
  
  
__________________________________   
Yahoo! Music Unlimited   
Access over 1 million songs. Try it free.  
http://music.yahoo.com/unlimited/  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
12 Oct 2005 00:00Current
7.4High risk
Vulners AI Score7.4
23
.json
Report