Maran Blog Comments.PHP Cross Site Scripting Vulnerability
BID:24409
Info
Maran Blog Comments.PHP Cross Site Scripting Vulnerability
| Bugtraq ID: | 24409 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-3198 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 11 2007 12:00AM |
| Updated: | May 07 2015 05:37PM |
| Credit: | ls is credited with discovering this issue. |
| Vulnerable: |
Maran Project Maran Blog 0 |
| Not Vulnerable: | |
Discussion
Maran Blog Comments.PHP Cross Site Scripting Vulnerability
Maran Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Maran Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Exploit / POC
Maran Blog Comments.PHP Cross Site Scripting Vulnerability
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
Solution / Fix
Maran Blog Comments.PHP Cross Site Scripting Vulnerability
Solution:
Reportedly, the vendor fixed this issue. Please contact the vendor for more information. Symantec has not confirmed this.
Solution:
Reportedly, the vendor fixed this issue. Please contact the vendor for more information. Symantec has not confirmed this.
References
Maran Blog Comments.PHP Cross Site Scripting Vulnerability
References:
References:
- Maran Blog Homepage (Maran Project)
- Maran Blog XSS vulnerability (ls)