lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060507065023.30988.qmail@securityfocus.com>
Date: 7 May 2006 06:50:23 -0000
From: SnoBMSN@...mail.De
To: bugtraq@...urityfocus.com
Subject: UBlog Remote XSS Exploit


Vunerability(s):
----------------
XSS Exploit


Product:
--------
UBlog 1.6 Access Edition

Vendor:
--------
http://www.uapplication.com/ublog/index.asp


Description of product:
-----------------------

Blog archive by date; Possibility to comment a blog; Notify via email; Password protected; 
Amend or remove blogs or comments; On-line configuration; Multilanguage support; Completely customisable look through 
CSS etc. Code: ASP 2.0 & VBScript


Vulnerability / Exploit:
------------------------

The applications UBlog is vulnerable to an XSS (Cross-Site Scripting) Attack.


PoC / Proof of Concept:
-----------------------

If the poster post in the field *text: the follow script

<script>alert("You are vulnerabile to XSS")</script>

When a user go to see the blog he receive the message "You are vulnerabile to XSS". 
This is very boring.

Additional Information:
-----------------------

Google dorks: "Powered by UBlog"


Vendor Status
-------------

The vendor is informed!

Credits:

Cyber-Security.ORG | Turkish Hacking & Security
Security advisory by SnoB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ