bBlog blog name cross-site scripting

bblog-name-xss (15635) The risk level is classified as MediumMedium Risk

Description:

bBlog is vulnerable to cross-site scripting. A remote attacker could post a blog message containing script embedded within the blog name, which would be executed in the victim's Web browser within the security context of the hosting site, once the message is viewed. An attacker could use this vulnerability to steal other user's cookie-based authentication credentials.

Platforms Affected:

  • eadz, bBlog 0.7.2

Remedy:

No remedy available as of November 29, 2008.

Consequences:

Gain Access

References:

  • BugTraq Mailing List, Fri Mar 26 2004 - 14:08:45 CST, bblog 0.7.2 cross site scripting at http://archives.neohapsis.com/archives/bugtraq/2004-03/0278.html.
  • BID-13397: BBlog Index.PHP HTML Injection Vulnerability
  • CVE-2004-1865: Cross-site scripting (XSS) vulnerability in the administration panel in bBlog 0.7.2 allows remote authenticated users with superuser privileges to inject arbitrary web script or HTML via a blog name ($blogname). NOTE: if administrators are normally allowed to add HTML by other means, e.g. through Smarty templates, then this issue would not give any additional privileges, and thus would not be considered a vulnerability.
  • OSVDB ID: 10510: bBlog index.php blogname Variable XSS
  • SECTRACK ID: 1009564: bBlog Input Validation Flaw in Blog Name Permits Cross-Site Scripting Attacks

Reported:

Mar 26, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page