[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UBlog Remote XSS Exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: UBlog Remote XSS Exploit
From: SnoBMSN@xxxxxxxxxx
Date: 7 May 2006 06:50:23 -0000

Vunerability(s):
----------------
XSS Exploit


Product:
--------
UBlog 1.6 Access Edition

Vendor:
--------
http://www.uapplication.com/ublog/index.asp


Description of product:
-----------------------

Blog archive by date; Possibility to comment a blog; Notify via email; Password 
protected; 
Amend or remove blogs or comments; On-line configuration; Multilanguage 
support; Completely customisable look through 
CSS etc. Code: ASP 2.0 & VBScript


Vulnerability / Exploit:
------------------------

The applications UBlog is vulnerable to an XSS (Cross-Site Scripting) Attack.


PoC / Proof of Concept:
-----------------------

If the poster post in the field *text: the follow script

<script>alert("You are vulnerabile to XSS")</script>

When a user go to see the blog he receive the message "You are vulnerabile to 
XSS". 
This is very boring.

Additional Information:
-----------------------

Google dorks: "Powered by UBlog"


Vendor Status
-------------

The vendor is informed!

Credits:

Cyber-Security.ORG | Turkish Hacking & Security
Security advisory by SnoB

Prev by Date: Re: Firefox 1.5.0.3 code execution exploit
Next by Date: Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw
Previous by thread: Re: Milliscript 1.4 Multiple Vulnerabilities
Next by thread: [ MDKSA-2006:084 ] - Updated MySQL packages fix several vulnerabilities
Index(es):
- Date
- Thread