Atom PhotoBlog AtomPhotoBlog.PHP Multiple Input Validation Vulnerabilities
BID:24363
Info
Atom PhotoBlog AtomPhotoBlog.PHP Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 24363 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-3135 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 07 2007 12:00AM |
| Updated: | May 07 2015 05:37PM |
| Credit: | Serapis.net is credited with the discovery of the cross-site scripting vulnerability. The vendor disclosed the HTML-injection issues. |
| Vulnerable: |
ilenvo Atom PhotoBlog 1.0.9 ilenvo Atom PhotoBlog 1.0.1 |
| Not Vulnerable: |
ilenvo Atom PhotoBlog 1.0.9 .1 |
Discussion
Atom PhotoBlog AtomPhotoBlog.PHP Multiple Input Validation Vulnerabilities
Atom PhotoBlog is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input data before rendering it in a user's browser. These issues include multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability.
Attackers could exploit these issues to steal cookie-based authentication credentials from legitimate users of the site; other attacks are also possible.
Versions prior to Atom PhotoBlog 1.0.9.1 are vulnerable.
Atom PhotoBlog is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input data before rendering it in a user's browser. These issues include multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability.
Attackers could exploit these issues to steal cookie-based authentication credentials from legitimate users of the site; other attacks are also possible.
Versions prior to Atom PhotoBlog 1.0.9.1 are vulnerable.
Exploit / POC
Atom PhotoBlog AtomPhotoBlog.PHP Multiple Input Validation Vulnerabilities
Attackers can use a browser to exploit these issues. To exploit a cross-site scripting issue, the attacker must entice a victim to follow a malicious URI.
The following proof-of-concept URI is available:
Attackers can use a browser to exploit these issues. To exploit a cross-site scripting issue, the attacker must entice a victim to follow a malicious URI.
The following proof-of-concept URI is available:
Solution / Fix
Atom PhotoBlog AtomPhotoBlog.PHP Multiple Input Validation Vulnerabilities
Solution:
The vendor has released Atom PhotoBlog 1.0.9.1 to address these issues. Please see the references for more information.
ilenvo Atom PhotoBlog 1.0.1
ilenvo Atom PhotoBlog 1.0.9
Solution:
The vendor has released Atom PhotoBlog 1.0.9.1 to address these issues. Please see the references for more information.
ilenvo Atom PhotoBlog 1.0.1
-
ilenvo atomphotoblogV1.0.9.1.tar.gz
http://downloads.sourceforge.net/atomphotoblog/atomphotoblogV1.0.9.1.t ar.gz?modtime=1181180252&big_mirror=0
ilenvo Atom PhotoBlog 1.0.9
-
ilenvo atomphotoblogV1.0.9.1.tar.gz
http://downloads.sourceforge.net/atomphotoblog/atomphotoblogV1.0.9.1.t ar.gz?modtime=1181180252&big_mirror=0
References
Atom PhotoBlog AtomPhotoBlog.PHP Multiple Input Validation Vulnerabilities
References:
References:
- Vendor Homepage (ilenvo)
- Atom PhotoBlog v1.0.9 XSS vulnerability (Serapis)