Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

PluggedOut Blog SQL injection and XSS

From: h e <het_ebadi () yahoo com>
Date: Sat, 4 Feb 2006 02:03:26 -0800 (PST)
PluggedOut Blog SQL INJECTION and XSS

PluggedOut Blog is an open source script you can run
on your web server to give you an online multi-user
journal or diary. 
It can be used equally well for any kind of calendar
application.Rather than give you a thousand things you
don't really want ...
PluggedOut Blog   : http://www.pluggedout.com/

Credit:
The information has been provided by Hamid Ebadi
(Hamid Network Security Team):admin () hamid ir 
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:
PluggedOut Blog  Version : Version: 1.9.9c
(2006-01-13) 

example :
The following URL can be used to trigger an SQL
injection vulnerability in the exec.php   : 
http://[PluggedOut
Blog]/exec.php?action=comment_add&entryid=[SQL
INJECTION]

and XSS 
http://[PluggedOut
Blog]/problem.php?id=1&data=<script>alert('Hamid
Network Security Team -->
http://hamid.ir&apos;);alert(document.cookie)</script>



Signature
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: