Bugtraq mailing list archives
evoBlog Remote Name tag Script injection
From: sikik () bsdmail org
Date: 6 Mar 2006 13:58:00 -0000
DESCRIPTION
evoBlog is prone to HTML injection attacks. It is possible for a malicious evoBlog user to inject hostile HTML and
script code into the commentary via form fields. This code may be rendered in the browser of a web user who views the
commentary of evoBlog.
evoBlog does not adequately filter HTML tags from various fields. This may enable an attacker to inject arbitrary
script code into pages that are generated by the evoBlog.
All versions are vulnerable.
EXPLOIT
Write and HTML script for example: <script>alert('test')</script> in the name tag.
HOMEPAGE
http://www.ajaxreview.com/
Current thread:
- evoBlog Remote Name tag Script injection sikik (Mar 06)
