SIMPLOG 0.9.3 injection sql & multiple xss
[[ SIMPLOG 0.9.3 ]]
cms website : http://www.simplog.org/
xss:
[*] Administration Panel
- user.php
*Name
*URL
*Email
*API Key
*Flickr Email
*Flickr Password
- news.php
*URL
- edit.php
*Title
*Entry
*Manual TrackBack
=> risk very low
[*] SimpLog User Part
simplog/archive.php?blogid=1&pid=</textarea>'"><script>alert(document.cookie)</script>
=> risk low
Sql injections :
simplog/archive.php?blogid=
simplog/archive.php?blogid=1&pid=
simplog/index.php?blogid=
=> risk high
Global risk for this cms: medium
Benjamin Mossé & Laurent Gaffié
http://s-a-p.ca/