---------- Forwarded message ----------
From: (M.o.H.a.J.a.L.i) <[email protected]>
Date: Oct 25, 2005 12:52 AM
Subject: Vulnerability in Ar-blog ver 5.2 and prior versions
To: [email protected]

Vulnerability in Ar-blog ver 5.2 and prior

Software: Ar-blog
Vulnerable versions: <= 5.2
Type: XSS, Login Bypass
Risk: Critical
Date: 23st October 2005
Vendor: ar-blog ( http://www.ar-blog.com)

Credit:

These vulnerabilities were found by MoHaJaLi

Description:

Ar-blog is a script that you can use to make your own blog…and it has many features that gives the ability to manage your blog easily…and it 100% programmed by arabic programmer and the first arabic blog…

Vulnerability 1: XSS

When adding a comment on a blog u can add the following as the comment…which will be executed when anyone views the blog and shows the cookies of the viewing user :
<script>alert(document.cookie);</script>

Vulnerability 2: Login Bypass

if u edit the cookies with some variables u can go to www.site.com/admin
and u will be directed to the control panel without being asked for password
P.S: all cookies has the same values…so if u just change the cookies for the website u will be able login automaticly without a user or a pass

Patches:

The Programmer is developing a new version of the program that solves these issues…and it will be out soon.

Greetings:

Greets fly out to all people at www.lezr.com

–
®…M-o-H-a-J-a-L-i…©

–
®…Now I Am Become Death…The Destroyer Of Worlds…©