Mephisto blog is vulnerable to XSS

2007-03-30 / 2007-03-31

Credit: Sergey Tikhonov

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2007-1768

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

Hello everyone!
Current bleeding-edge version of Mephisto blog is vulnerable to XSS.
Comment's author name accept javascript code. If admin approves/
rejects comments manually, he have to load all unapproved comments,
so it's possible to fetch his session id.
Example
Add new comment with the following author name: <script>alert
(document.cookie)</script>
Then from admin's overview section check this comment - you'll see
message with cookie.
If you manually approve your comments, check list of pending comments.
How to fix it
patch for <approot>/app/helpers/application_helper.rb :
5c5
< return comment.author if comment.author_url.blank?
---
> return h(comment.author) if comment.author_url.blank?
Best wishes!
Sergey Tikhonov

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Mephisto blog is vulnerable to XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.