SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

XSS vulnerability in Blojsom


Arrow  SecurityAlert : 1594
Arrow  CVE : CVE-2006-4829
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : Avinash Shenoi
Arrow  Published : 20.09.2006

Arrow  Affected Software : Blojsom



Arrow  Advisory Content :  


I. BACKGROUND

Taken from the Blojsom Website :

"Blojsom is a Java-based, full-featured, multi-blog, multi-user software
package that was inspired by blosxom. blojsom aims to retain a simplicity
in design while adding flexibility in areas such as the flavors,
templating, plugins, and the ability to run multiple blogs with a single
blojsom installation"

Blojsom is also the software running this blog and the software behind
Apple Computer's OS X Server Weblog Server.

http://wiki.blojsom.com/wiki/display/blojsom/About+blojsom

II. DESCRIPTION

Remote exploitation of a Cross-Site Scripting (XSS) vulnerability in
Blojsom allows an attacker to force to inject arbitrary script code into a
users session, possibly stealing logon credentials.

To demonstrate the vulnerability, simply embed the following encoded text
into the identified vulnerable fields.

>'><script>alert(1234)</script>

This will have the affect of popping up an alert window. This proof of
concept could easily be altered to cause the script to return
authentication credentials to an attacker controlled server.

III. ANALYSIS

Successful exploitation of this vulnerability would allow an attacker to
inject arbitrary script code into the session. This could allow for the
theft of authentication information, which could lead to a compromised
account.

In order for exploitation to occur, the targeted user would only have to
view a blog entry from an attacker. This vulnerability has a high potential
for widespread exploitation.

IV. DETECTION

Blojsom 2.3.1 Web application has been confirmed vulnerable.

SNORT SIGNATURES

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "Blojsom Weblog XSS
exploit"; flow:to_server; content:"POST"; depth:4; nocase;
pcre:"/(blog-category-description|blog-entry-title|rss-enclosure-url|tec
hnorati-tagsi|blog-category-name).*=.*%3cscript%3e.*%3c%2fscript%3e.*&/i
"; classtype:web-application-activity; sid:9999994; rev:1;)

V. WORKAROUND

Cenzic is currently unaware of any effective workarounds that can be
implemented on the server in order to mitigate the risk of this
vulnerability; however, there are workarounds available for client

protection. Since exploitation allows for the execution of malicious code
in web browsers, successful exploitation could be thwarted by disabling
script code and active content support within a client browser. Take note
that employing this workaround could adversely affect web sites reliant
upon the execution of browser-based script code. The following steps can be
taken to disable active scripting in

Mozilla and Internet Explorer:

Internet Explorer 5.0, 5.01, 5.5, 6

a. On the Tools menu, click Internet Options, click the Security tab, click
the Internet Web content zone, and then click Custom Level.

b. In the Settings box, scroll down to the Scripting section, and click
Disable under Active scripting and Scripting of Java applets.

c. Click OK, and then click OK again.

Mozilla Firefox

a. On the Tools menu, click Options and click the Web Features tab.

b. De-select the Enable JavaScript checkbox.

c. Click OK.

VI. VENDOR RESPONSE

Fixed in CVS. The fixes will be made available in a blojsom 2.32 update.

VII. CVE INFORMATION

CERT has assigned a tracking number VU#425861. They take upto 45 days to
make a public disclosure.

VIII. DISCLOSURE TIMELINE

08/30/2006 Initial vendor notification

08/31/2006 Initial vendor response

??/??/???? Coordinated public disclosure

IX. CREDIT

Avinash Shenoi

Cenzic Inc.

X. LEGAL NOTICES

Copyright ©

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
Cenzic. If you wish to reprint the whole or any

part of this alert in any other medium other than electronically, please
email for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are
no warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...

Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration

PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass

Copyright © SecurityReason.com. All Rights Reserved.