[Full-disclosure] Quickblogger

2005-07-06T00:00:00
ID SECURITYVULNS:DOC:9075
Type securityvulns
Reporter Securityvulns
Modified 2005-07-06T00:00:00

Description


- EXPL-A-2005-011 exploitlabs.com Advisory 040 -

                               - QuickBlogger -

AFFECTED PRODUCTS

QuickBlogger 1.4 ( and earlier ) http://www.jlwebworks.net/

OVERVIEW

QuickBlogger is a freeware flatfile php blog script written to simplify updating your blog/website.

DETAILS

  1. XSS

Quickblog comments section does not properly filter malicious script content. XSS my be inserted in the author and comment body sections. The malicious script is the rendered upon visitation and executed in the context of the users brower.

POC

1.

insert script into the "your name" and or the "comment" section.

SOLUTION:

vendor contact: webmaster@jlwebworks.net June 11, 2005 webmaster@jlwebworks.net June 21, 2005

no response recieved

Credits

This vulnerability was discovered and researched by Donnie Werner of exploitlabs

Donnie Werner

mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org

http://exploitlabs.com/files/advisories/EXPL-A-2005-011-quickblogger.txt


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/