by r0t,der4444,cembo,VietMafia

Friday, December 23, 2005

eggblog vuln.

eggblog vuln.

Vuln. discovered by : r0t
Date: 22 dec. 2005
affected version:eggblog v2.0 and prior

Product Description:

eggblog is a small, simple, secure and open source blogging package. Anyone with a php and mysql enabled server can make use of our easy to install package to create their own personal blog.

Vuln. Description:

eggblog contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to parameters in "home/search.php" and when performing a search isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

It is also possible to disclose the full path to "search.php" by accessing it with an invalid "q" parameter.

Edit the source code to ensure that input is properly sanitised.


Anonymous Egg told...

Items resolved in latest release, v3.0b.

Please remove this post.

6:16 PM


Post a Comment

<< Home

Copyright (c) 2006 Pridels Sec Crew