|
H - Security Labs =0D
Eggblog v3.1.0 Security Advisory =0D
ID : HSEC#20071111 =0D
General Information=0D
--------------------------=0D
Name : EggBlog v.3.1.0=0D
Vendor HomePage :http://sourceforge.net/projects/eggblog/ =0D
Platforms : PHP && MySQL=0D
Vulnerability Type : Input Validation Error=0D
=0D
Timeline=0D
-------------------------=0D
08 October 2007 -- Vendor Contacted =0D
30 October 2007 -- Vendor Replied=0D
11 November 2007 -- New Release=0D
11 November 2007 -- Advisory Released=0D
=0D
=0D
What is Eggblog=0D
------------------------=0D
eggblog is a free PHP & MySQL blogging package. Features include an internal search engine,=0D
=0D
photo albums, forums, plug-ins, guest comments to blog articles, automatic monthly archiving=0D
=0D
of blog articles and RSS XML feeds for both the blog and forums.=0D
I discovered the security holes when I was testing it for my personel web blog.=0D
=0D
Vulnerability Overview=0D
------------------------=0D
The script is vulnerable to XSS attacks.=0D
=0D
Details About Vulnerability=0D
------------------------=0D
XSS Vulnerability(home/rss.php)=0D
=0D
At the rss.php line 6-7; there are unfiltered PHP_SELFs that can be used for XSS attacks.=0D
---------=0D
".$_SERVER['SERVER_NAME'].str_replace("/home/rss.php","",$_SERVER['=0D
=0D
PHP_SELF'])."/rss/blog.php=0D
".$_SERVER['SERVER_NAME'].str_replace("/home/rss.php","",$_SERVER=0D
=0D
['PHP_SELF'])."/rss/topics.php=0D
---------=0D
=0D
The attacker can succesfully launch XSS attacks with loading payload on to the URL after the=0D
=0D
home\rss.php. For example :=0D
http://www.example.com/home/rss.php/=0D
=0D
Solutions=0D
-----------------------=0D
Download the new release : EggBlog v3.1.1=0D
=0D
Credits=0D
-----------------------=0D
The vulnerabilities found on 08 October 2007=0D
by Mesut Timur