Zoomblog HTML Injection Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Zoomblog HTML Injection Vulnerability
From: sikikmail@xxxxxxxxx
Date: 4 Nov 2005 18:05:33 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


DESCRIPTION
Zoomblog is prone to HTML injection attacks. It is possible for a malicious 
Zoomblog user to inject hostile HTML and script code into the commentary via 
form fields. This code may be rendered in the browser of a web user who views 
the commentary of Zoomblog.
Zoomblog does not adequately filter HTML tags from various fields. This may 
enable an attacker to inject arbitrary script code into pages that are 
generated by the Zoomblog.
All versions are vulnerable.


EXPLOIT
There is no exploit required.

EXAMPLE
Write <script>alert('test')</script> in http://yourblog.zoomblog/comments/

HOMEPAGE
http:/zoomblog.com

Prev by Date: Zoomblog HTML Injection Vulnerability
Next by Date: Gallery_v2.4 SQL Injection
Previous by thread: Zoomblog HTML Injection Vulnerability
Next by thread: Re: Zoomblog HTML Injection Vulnerability
Index(es):
- Date
- Thread