Insanely simple blog - Multiple vulnerabilities

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052936 漏洞类型
发布时间 2007-07-21 更新时间 2007-07-21
CVE编号 CVE-2007-3889
CVE-2007-3888
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2007070059
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Insanely simple blog version 0.5 and below
http://sourceforge.net/projects/insanelysimple2

ISB contains multple vulnerabilities including both XSS, and SQL injection.

First off, the search action fails to strip user content for html allowing a user to input tags. Next, anonymous blog entries can contain javascript allowing script execution. How? Well, tags are stripped, and there is

As for the sql injection portion, several GET variables allow for the injection of SQL queries.

First of which is the current_subsection variable.

The following proof of concepts are provided

http://www.example.net/index.php?current_subsection=2 or 1=1/*
^^ dumps all table data.
http://www.example.net/index.php?current_subsection=2%20union%20all%20se
lect blah from content/*

The following bits of code work on the blog.
<B onmousemver="javascript:alert('lol')">Pizza pie</B>
<OL onmouseover="alert('lol')">I like it</OL>

The fix for now is to filter blog entries with either a regex or the htmlspecialchars() function. The sql injection can be prevented by making sure the variables are numeric.