lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 3 Nov 2006 18:18:58 -0000
From: saps.audit@...il.com
To: bugtraq@...urityfocus.com
Subject: SIMPLOG 0.9.3 injection sql & multiple xss

[[ SIMPLOG 0.9.3 ]]

cms website : http://www.simplog.org/



xss:
	[*] Administration Panel
		- user.php
			*Name
			*URL
			*Email
			*API Key
			*Flickr Email
			*Flickr Password
			
		- news.php
			*URL
			
		- edit.php
			*Title
			*Entry
			*Manual TrackBack
	=> risk very low
	
	[*] SimpLog User Part
		simplog/archive.php?blogid=1&pid=</textarea>'"><script>alert(document.cookie)</script>
	=> risk low
	
Sql injections :

	simplog/archive.php?blogid=
	simplog/archive.php?blogid=1&pid=
	simplog/index.php?blogid=
	
	=> risk high
	
Global risk for this cms: medium

Benjamin Mossé & Laurent Gaffié
http://s-a-p.ca/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ