FC2 BLOG Cross-Site Scripting Vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: FC2 BLOG Cross-Site Scripting Vulnerabilities
- From: xsp <xisigr@xxxxxxxxx>
- Date: Thu, 9 Oct 2008 09:35:29 +0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=ouzjSD/IdaW3dVlDrBhEuedpRHGGsurd0+mj4LwzQtU=; b=XWwcu6u+idCtFaUXu/jw6m6oCswRO3ZorG2LN6fWXy6sAXQ1zjQIptHOgqvkBYL95F DRtGuE3sXWgQJBBaBoVW55EZUi+a452q7PaM4eQ6me7OKkCKzj0bchQ9CGQ9/z17IHyM s+n1pMB9jSe8GXIV1H+Ufq+wcwg2awT0nRoAY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=lT82pI6zsmMw06Q9/AN+gSBVOVi9Oc2BZyo32PdRKmOz2V8fSs/VSgw2iq8aQjoTr7 AkaHH4vY+UtAcr1J7/TIwiOLGWhuJoLhfXJycD8fAOql6e6Eovp0zMwOTrECTTCmfIyG t36dH3a5tozc3OyBnjgmhMc9wTryABXdQcs+U=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Subject: FC2 BLOG Cross-Site Scripting Vulnerabilities
Application: FC2 BLOG
Vendor:BLOG.FC2.COM
Corporation: FC2, Inc.
DATE : 9 Oct 2008
Description: FC2 BLOG Cross-Site Scripting Vulnerabilities
Vulnerability:
==============
They do not properly sanitize the potentially malicious input content
to be rendered and, as a result, an attacker might provide malicious
HTML content as part of A New Entry.
Exploit:
==============
Write A New Entry in FC2 blog:
<input type="image" src="x" onerror="javascript:alert(/XSP/)" />
==============
xisigr[topsec]
xisigr@xxxxxxxxx