SIMPLOG 0.9.3 injection sql & multiple xss
Date: 3 Nov 2006 18:18:58 -0000
From: [email protected]
To: [email protected]
Subject: SIMPLOG 0.9.3 injection sql & multiple xss
X-Virus-Scanned: antivirus-gw at tyumen.ru
[[ SIMPLOG 0.9.3 ]]
cms website : http://www.simplog.org/
xss:
[*] Administration Panel
- user.php
*Name
*URL
*Email
*API Key
*Flickr Email
*Flickr Password
- news.php
*URL
- edit.php
*Title
*Entry
*Manual TrackBack
=> risk very low
[*] SimpLog User Part
simplog/archive.php?blogid=1&pid=</textarea>'"><script>alert(document.cookie)</script>
=> risk low
Sql injections :
simplog/archive.php?blogid=
simplog/archive.php?blogid=1&pid=
simplog/index.php?blogid=
=> risk high
Global risk for this cms: medium
Benjamin MossИ & Laurent GaffiИ
http://s-a-p.ca/
