SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  blogBuddies Vendors:  blogbuddies.sourceforge.net
blogBuddies Input Validation Holes Let Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015264
SecurityTracker URL:  http://securitytracker.com/id?1015264
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 24 2005
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 0.3
Description:  ][GB][ reported a vulnerability in blogBuddies. A remote user can conduct cross-site scripting attacks. A remote user can also determine the installation path.

The 'index.php', 'magpie_debug.php', and 'magpie_slashbox.php' scripts do not properly filter HTML code from user-supplied input in various parameters before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the blogBuddies software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/blogbuddies/inde x.php?u="><script>alert("hola vengo a flotar");</script>

http://[target]/blogbuddies/magpierss-0.71/scripts/magpie_debug.php?url="><script>alert("...");</script>

ht tp://[target]/blogbuddies/magpierss-0.71/scripts/magpie_slashbox.php?rss_url="><script>alert("...");</script>

A remote user can also directly invoke certain scripts to cause the system to disclose the installation path.

Some demonstration exploit URLs are provided:

http://[target]/blogbuddies/magpierss-0.71/scripts/magpie_debug.php

http://[target]/blogbuddies/magpierss-0.71/scripts/simple_smarty.php
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the blogBuddies software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  No solution was available at the time of this entry.
Vendor URL:  sourceforge.net/projects/blogbuddies/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "][GB][" <gb.network@gmail.com>
Message History:   None.

 Source Message Contents
Date:  Thu, 24 Nov 2005 04:24:17 +0100
From:  "][GB][" <gb.network@gmail.com>
Subject:  XSS & Full path disclosure in blogBuddies

 
Language: PHP
Script: blogBuddies
Version: 0.3
Official website: http://sourceforge.net/projects/blogbuddies/
Problem: XSS & Full path disclosure
Discovered by: ][GB][
 
Description:
===========
 
blogBuddies is PHP software which gathers RSS and Atom feeds into a layout similar to the LiveJournal
 Friends page.
It is optimized for blogs, and works with Blogger, LiveJournal, DeadJournal, GreatestJournal, Xanga, 
RSS feeds, and Atom feeds.
 
Problems:
========
 
The scripts,index.php,magpie_debug.php and magpie_slashbox.php does not properly filter HTML code fro
m user-supplied
input in the 'u','url'and 'rss_url' parameters before displaying the input.
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbit
rary scripting
code to be executed by the target user's browser.
 
XSS Poof:
========
 
http://dhost.info/computechnix/blogbuddies/index.php?u="><script>alert("hola vengo
 a flotar");</script>
http://dhost.info/computechnix/blogbuddies/magpierss-0.71/scripts/magpie_debug.php?url="><
script>alert("...");</script>
http://dhost.info/computechnix/blogbuddies/magpierss-0.71/scripts/magpie_slashbox.php?rss_url="><
script>alert("...");</script>
 
Full path disclosure Poof:
=========================
 
http://dhost.info/computechnix/blogbuddies/magpierss-0.71/scripts/magpie_debug.php
http://dhost.info/computechnix/blogbuddies/magpierss-0.71/scripts/simple_smarty.php
 
 
Solution:
========
 
Not solution at this time.
 
 
Greetz:
=======
 
uyx, beford, Zetha, lithyum,_|MALANDDO|_ ,desKrriado, |LINUX|, Amon-Ra, Extremo, SecretDreams, caffa
 
&& irc.gigachat.net #uruguay, #h4ck3rsbr, #IYS, #D.O.M, #MSR ,,, irc.fullnetwork.org #full, #
f4kelive
   
   irc.org.ve #uruguay, #venezuela
 
Fuckz:
=====
Morgan lamer and his irc.irc-argentina.org, his small ddos-botnet, its hidden in that server, the bot
s are
supposed to be argentinian users but noooo, he is using that ripped worm code i mentioned before!!!
he is such a leet h4x0r from santiago del estero (.ar)! hahahhaa


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC