lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Jan 2007 17:52:54 +0900 From: teracci2002@...oo.co.jp To: bugtraq@...urityfocus.com Subject: Movable Type <= 3.33 XSS Exploit [Description] MT (Movable Type) is a Blog software. MT has a XSS filter to remove scripts from user inputs, but there are ways to evade the filter using malformed input. [Affected] Movable Type <= 3.33 [Exploit] By the default, Blog readers are allowed to post comments containing html tags. Attackers may post malformed comments as below. 1. NULL byte in number entitiy reference. <A href="javascript[0x00]8;alert();">link</A> 2. Unfinished tag in the tail of comment. <P><BR style="xss:expression(alert())" MT's filter fails to sanitize these comments. Scripts in these comments may run in certain browsers (maybe in IE ONLY). [Impact] - Cookies theft. - Web pages defacing. [Solution] Upgrade MT to the newest version. Six Apart fixed these problems in v3.34. [Links] http://www.sixapart.com/movabletype/beta/distros/MT-3.34-beta-Release-Notes.html See #46226. ---- teracci2002@...oo.co.jp
Powered by blists - more mailing lists