Insanely simple blog - Multiple vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Insanely simple blog - Multiple vulnerabilities
From: joseph.giron13@xxxxxxxxx
Date: 17 Jul 2007 10:08:41 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Insanely simple blog version 0.5 and below
http://sourceforge.net/projects/insanelysimple2

ISB contains multple vulnerabilities including both XSS, and SQL injection.

First off, the search action fails to strip user content for html allowing a 
user to input tags. Next, anonymous blog entries can contain javascript 
allowing script execution. How? Well, tags are stripped, and there is

As for the sql injection portion, several GET variables allow for the injection 
of SQL queries.

First of which is the current_subsection variable.

The following proof of concepts are provided

http://www.example.net/index.php?current_subsection=2 or 1=1/*
^^ dumps all table data.
http://www.example.net/index.php?current_subsection=2%20union%20all%20select 
blah from content/*


The following bits of code work on the blog.
<B onmousemver="javascript:alert('lol')">Pizza pie</B>
<OL onmouseover="alert('lol')">I like it</OL>

The fix for now is to filter blog entries with either a regex or the 
htmlspecialchars() function. The sql injection can be prevented by making sure 
the variables are numeric.

Prev by Date: LFI On SMF 1.1.3
Next by Date: rPSA-2007-0141-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs
Previous by thread: Re: LFI On SMF 1.1.3
Next by thread: rPSA-2007-0141-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs
Index(es):
- Date
- Thread