------------------------------------------------------------
    - EXPL-A-2005-011 exploitlabs.com Advisory 040 -
------------------------------------------------------------
                                   - QuickBlogger -






AFFECTED PRODUCTS
=================
QuickBlogger 1.4 ( and earlier )
http://www.jlwebworks.net/



OVERVIEW
========
QuickBlogger is a freeware flatfile php blog script
 written to simplify updating your blog/website.




DETAILS
=======
1. XSS

Quickblog comments section does not properly filter
malicious script content. XSS my be inserted in the
author and comment body sections. The malicious script
is the rendered upon visitation and executed in the
context of the users brower.




POC
===

1.
------

insert script into the "your name" and or
the "comment" section.




SOLUTION:
=========
vendor contact:
webmaster@jlwebworks.net June 11, 2005
webmaster@jlwebworks.net June 21, 2005

no response recieved



Credits
=======
This vulnerability was discovered and researched by 
Donnie Werner of exploitlabs

Donnie Werner

mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

http://exploitlabs.com/files/advisories/EXPL-A-2005-011-quickblogger.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/