Bug: Eggblog v3.1.0 XSS Vulnerability ( Ascii Version )
Search:
WLB2

CVE WLB2

WLB2.ORG
Full List
Bugs
Bogus
Tricks
Exploits
CVEMAP.ORG
Full List
Vendors
Products
Tools
CWE Dictionary
Dorks List
cIFrex
Search
Bugtraq
CVEMAP
CVE Id
CWE Id
RSS
Full List
Bugs
Exploits
Dorks
Information
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsec.org
Social

TwitterFacebook
Eggblog v3.1.0 XSS Vulnerability

Published
Credit
Risk
2007.11.15
mesut
Low
CWE
CVE
Local
Remote
CWE-79
CVE-2007-5980
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

H - Security Labs

Eggblog v3.1.0 Security Advisory

ID : HSEC#20071111

General Information

--------------------------

Name : EggBlog v.3.1.0

Vendor HomePage :http://sourceforge.net/projects/eggblog/

Platforms : PHP && MySQL

Vulnerability Type : Input Validation Error

Timeline

-------------------------

08 October 2007 -- Vendor Contacted

30 October 2007 -- Vendor Replied

11 November 2007 -- New Release

11 November 2007 -- Advisory Released

What is Eggblog

------------------------

eggblog is a free PHP & MySQL blogging package. Features include an internal search engine,

photo albums, forums, plug-ins, guest comments to blog articles, automatic monthly archiving

of blog articles and RSS XML feeds for both the blog and forums.

I discovered the security holes when I was testing it for my personel web blog.

Vulnerability Overview

------------------------

The script is vulnerable to XSS attacks.

Details About Vulnerability

------------------------

XSS Vulnerability(home/rss.php)

At the rss.php line 6-7; there are unfiltered PHP_SELFs that can be used for XSS attacks.

---------

<a

href="../rss/blog.php">".$_SERVER['SERVER_NAME'].str_replace("/home/rs
s.php","",$_SERVER['

PHP_SELF'])."/rss/blog.php</a></li>

<a

href="../rss/topics.php">".$_SERVER['SERVER_NAME'].str_replace("/home/
rss.php","",$_SERVER

['PHP_SELF'])."/rss/topics.php</a></li>

---------

The attacker can succesfully launch XSS attacks with loading payload on to the URL after the

homerss.php. For example :

http://www.example.com/home/rss.php/<script>alert(1)</script>

Solutions

-----------------------

Download the new release : EggBlog v3.1.1

Credits

-----------------------

The vulnerabilities found on 08 October 2007

by Mesut Timur <mesut (at) h-labs (dot) org [email concealed]>

H - Security Labs , http://www.h-labs.org

Gebze Institue of Technology,Computer Engineering,http://www.gyte.edu.tr

References

-----------------------

http://sourceforge.net/forum/forum.php?forum_id=753622

http://www.eggblog.net

http://sourceforge.net/projects/eggblog/

Original Advisory : http://www.h-labs.org/blog/2007/11/11/eggblog_v3_1_0_xss_issues.html

Mesut TIMUR

http://www.h-labs.org

H - Security Labs Güvenlik Editörü

GYTE Bilgisayar Mühendisligi

ASCII VERSION
Copyright 2013, cxsecurity.com
 Ascii Version