ISS X-Force Database: blogbuddies-multiple-scripts-xss(23331): blogBuddies multiple scripts allow cross-site scripting

blogBuddies multiple scripts allow cross-site scripting

blogbuddies-multiple-scripts-xss (23331)

Medium Risk

Description:

blogBuddies is vulnerable to cross-site scripting. A remote attacker could send an XML link containing malicious script to the index.php script using the 'u' parameter, the magpie_debug.php script using the url parameter or to the magpie_slashbox.php script using the rss_url parameter which, once the link is clicked, would be executed in the victim's Web browser within the security context of the hosting site. An attacker could use this vulnerability to view or steal the victim's cookie-based authentication credentials.

Platforms Affected:

blogBuddies, blogBuddies 3.0

Remedy:

Apply patch #1366743 for blogBuddies available from the SourceForge.net Web page. See References.

Consequences:

Gain Access

References:

SourceForge.net, blogBuddies at http://sourceforge.net/projects/blogbuddies/.
SourceForge.net, [ 1366743 ] Patch for Cross-Site Scripting vulnerability in blogBuddies at http://sourceforge.net/tracker/index.php?func=detail&aid=1366743&group_id=127552&atid=708847.
BID-15555: BlogBuddies Multiple Cross-Site Scripting Vulnerabilities
CVE-2005-3954: Cross-site scripting (XSS) vulnerability in blogBuddies 0.3 allows remote attackers to inject arbitrary web script or HTML via the u parameter to index.php.
OSVDB ID: 21111: blogBuddies index.php u Variable XSS
SA17741: blogBuddies Cross-Site Scripting Vulnerabilities
SECTRACK ID: 1015264: blogBuddies Input Validation Holes Let Remote Users Conduct Cross-Site Scripting Attacks
VUPEN/ADV-2005-2586: blogBuddies Multiple Parameters Handling Cross Site Scripting Issues

Reported:

Nov 25, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page