<<< Date Index >>>     <<< Thread Index >>>

UBlog Remote XSS Exploit



Vunerability(s):
----------------
XSS Exploit


Product:
--------
UBlog 1.6 Access Edition

Vendor:
--------
http://www.uapplication.com/ublog/index.asp


Description of product:
-----------------------

Blog archive by date; Possibility to comment a blog; Notify via email; Password 
protected; 
Amend or remove blogs or comments; On-line configuration; Multilanguage 
support; Completely customisable look through 
CSS etc. Code: ASP 2.0 & VBScript


Vulnerability / Exploit:
------------------------

The applications UBlog is vulnerable to an XSS (Cross-Site Scripting) Attack.


PoC / Proof of Concept:
-----------------------

If the poster post in the field *text: the follow script

<script>alert("You are vulnerabile to XSS")</script>

When a user go to see the blog he receive the message "You are vulnerabile to 
XSS". 
This is very boring.

Additional Information:
-----------------------

Google dorks: "Powered by UBlog"


Vendor Status
-------------

The vendor is informed!

Credits:

Cyber-Security.ORG | Turkish Hacking & Security
Security advisory by SnoB