QuickBlogger version 1.4 and below is susceptible to a cross site scripting attack.
ff3e82e8c502f427c05bcddb61b4a211c3bbd510fcae82f3c5f0ed4868c38b20
------------------------------------------------------------
- EXPL-A-2005-011 exploitlabs.com Advisory 040 -
------------------------------------------------------------
- QuickBlogger -
AFFECTED PRODUCTS
=================
QuickBlogger 1.4 ( and earlier )
http://www.jlwebworks.net/
OVERVIEW
========
QuickBlogger is a freeware flatfile php blog script
written to simplify updating your blog/website.
DETAILS
=======
1. XSS
Quickblog comments section does not properly filter
malicious script content. XSS my be inserted in the
author and comment body sections. The malicious script
is the rendered upon visitation and executed in the
context of the users brower.
POC
===
1.
------
insert script into the "your name" and or
the "comment" section.
SOLUTION:
=========
vendor contact:
webmaster@jlwebworks.net June 11, 2005
webmaster@jlwebworks.net June 21, 2005
no response recieved
Credits
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs
Donnie Werner
mail: wood at exploitlabs.com
mail: morning_wood at zone-h.org
--
web: http://exploitlabs.com
web: http://zone-h.org
http://exploitlabs.com/files/advisories/EXPL-A-2005-011-quickblogger.txt