<<< Date Index >>>     <<< Thread Index >>>

SIMPLOG 0.9.3 injection sql & multiple xss



[[ SIMPLOG 0.9.3 ]]

cms website : http://www.simplog.org/



xss:
        [*] Administration Panel
                - user.php
                        *Name
                        *URL
                        *Email
                        *API Key
                        *Flickr Email
                        *Flickr Password
                        
                - news.php
                        *URL
                        
                - edit.php
                        *Title
                        *Entry
                        *Manual TrackBack
        => risk very low
        
        [*] SimpLog User Part
                
simplog/archive.php?blogid=1&pid=</textarea>'"><script>alert(document.cookie)</script>
        => risk low
        
Sql injections :

        simplog/archive.php?blogid=
        simplog/archive.php?blogid=1&pid=
        simplog/index.php?blogid=
        
        => risk high
        
Global risk for this cms: medium

Benjamin Mossé & Laurent Gaffié
http://s-a-p.ca/