<<< Date Index >>>     <<< Thread Index >>>

XSS vulnerability in Blojsom




I. BACKGROUND

Taken from the Blojsom Website :
"Blojsom is a Java-based, full-featured, multi-blog, multi-user software 
package that was inspired by blosxom. blojsom aims to retain a simplicity in 
design while adding flexibility in areas such as the flavors, templating, 
plugins, and the ability to run multiple blogs with a single blojsom 
installation"

Blojsom is also the software running this blog and the software behind Apple 
Computer's OS X Server Weblog Server. 

http://wiki.blojsom.com/wiki/display/blojsom/About+blojsom

II. DESCRIPTION

Remote exploitation of a Cross-Site Scripting (XSS) vulnerability in Blojsom 
allows an attacker to force to inject arbitrary script code into a users 
session, possibly stealing logon credentials.

To demonstrate the vulnerability, simply embed the following encoded text into 
the identified vulnerable fields. 

>'><script>alert(1234)</script>

This will have the affect of popping up an alert window. This proof of concept 
could easily be altered to cause the script to return authentication 
credentials to an attacker controlled server.

III. ANALYSIS

Successful exploitation of this vulnerability would allow an attacker to inject 
arbitrary script code into the session. This could allow for the theft of 
authentication information, which could lead to a compromised account.

In order for exploitation to occur, the targeted user would only have to view a 
blog entry from an attacker. This vulnerability has a high potential for 
widespread exploitation.

IV. DETECTION

Blojsom 2.3.1 Web application has been confirmed vulnerable.

SNORT SIGNATURES 
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "Blojsom Weblog XSS exploit"; 
flow:to_server; content:"POST"; depth:4; nocase; 
pcre:"/(blog-category-description|blog-entry-title|rss-enclosure-url|technorati-tagsi|blog-category-name).*=.*%3cscript%3e.*%3c%2fscript%3e.*&/i";
 classtype:web-application-activity; sid:9999994; rev:1;)



V. WORKAROUND

Cenzic is currently unaware of any effective workarounds that can be 
implemented on the server in order to mitigate the risk of this vulnerability; 
however, there are workarounds available for client 
protection. Since exploitation allows for the execution of malicious code in 
web browsers, successful exploitation could be thwarted by disabling script 
code and active content support within a client browser. Take note that 
employing this workaround could adversely affect web sites reliant upon the 
execution of browser-based script code. The following steps can be taken to 
disable active scripting in 
Mozilla and Internet Explorer:

Internet Explorer 5.0, 5.01, 5.5, 6

a. On the Tools menu, click Internet Options, click the Security tab, click the 
Internet Web content zone, and then click Custom Level.

b. In the Settings box, scroll down to the Scripting section, and click Disable 
under Active scripting and Scripting of Java applets.

c. Click OK, and then click OK again.

Mozilla Firefox

a. On the Tools menu, click Options and click the Web Features tab.

b. De-select the Enable JavaScript checkbox.

c. Click OK. 

VI. VENDOR RESPONSE
Fixed in CVS. The fixes will be made available in a blojsom 2.32 update.


VII. CVE INFORMATION
CERT has assigned a tracking number VU#425861. They take upto 45 days to make a 
public disclosure. 


VIII. DISCLOSURE TIMELINE

08/30/2006 Initial vendor notification

08/31/2006 Initial vendor response

??/??/???? Coordinated public disclosure

IX. CREDIT

Avinash Shenoi 
Cenzic Inc. 



X. LEGAL NOTICES

Copyright © 

Permission is granted for the redistribution of this alert electronically. It 
may not be edited in any way without the express written consent of Cenzic. If 
you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please email 
for permission.

Disclaimer: The information in the advisory is believed to be accurate at the 
time of publishing based on currently available information. Use of the 
information constitutes acceptance for use in an AS IS condition. There are no 
warranties with regard to this information. Neither the author nor the 
publisher accepts any liability for any direct, indirect, or consequential loss 
or damage arising from use of, or reliance on, this information.