<<< Date Index >>>     <<< Thread Index >>>

evoBlog Remote Name tag Script injection



DESCRIPTION
evoBlog is prone to HTML injection attacks. It is possible for a malicious 
evoBlog user to inject hostile HTML and script code into the commentary via 
form fields. This code may be rendered in the browser of a web user who views 
the commentary of evoBlog.
evoBlog does not adequately filter HTML tags from various fields. This may 
enable an attacker to inject arbitrary script code into pages that are 
generated by the evoBlog.

All versions are vulnerable.

EXPLOIT

Write and HTML script for example: <script>alert('test')</script> in the name 
tag.

HOMEPAGE
http://www.ajaxreview.com/