Vulnwatch mailing list archives
xss in blog system
From: "befcake beefy" <befcake () hotmail com>
Date: Sat, 07 Aug 2004 02:15:32 +0000
i have discovered a xss bug in the blog system which will allow session hijack
it affects all version of the blog tell 1.6 alpha author didnt respond to my emails so i am posting it here author site : www.pluggedout.com proff on concept: http://www.pluggedout.com/blog/blog_exec.php?action=remove_blog&blogid=<script>alert(document.cookie);</script> workaround/fix: either you delete the qurey line in the error page or add a strip_tags(); _________________________________________________________________Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.
Current thread:
- xss in blog system befcake beefy (Aug 07)