LiveJournal HTML Injection Vulnerability
BID:9700
Info
LiveJournal HTML Injection Vulnerability
| Bugtraq ID: | 9700 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-0310 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 19 2004 12:00AM |
| Updated: | Jul 12 2009 03:06AM |
| Credit: | Disclosure of this issue has been credited to "Joshua P. Miller" <[email protected]>. |
| Vulnerable: |
LiveJournal LiveJournal 1.1 LiveJournal LiveJournal |
| Not Vulnerable: | |
Discussion
LiveJournal HTML Injection Vulnerability
It has been reported that LiveJournal is prone to a remote HTML injection vulnerability. This issue arises due to insufficient sanitization of user provided input allowing injection of HTML and script code into site content.
The injected code could then be interpreted by the browser of a user visiting a page that includes user-supplied hostile content. This attack would occur in the security context of the affected site.
This could be used to steal cookie-based authentication from other users. Other attacks are also possible.
It should be noted that the attacker must be a registered user with the ability to post malicious content in their journal.
It has been reported that LiveJournal is prone to a remote HTML injection vulnerability. This issue arises due to insufficient sanitization of user provided input allowing injection of HTML and script code into site content.
The injected code could then be interpreted by the browser of a user visiting a page that includes user-supplied hostile content. This attack would occur in the security context of the affected site.
This could be used to steal cookie-based authentication from other users. Other attacks are also possible.
It should be noted that the attacker must be a registered user with the ability to post malicious content in their journal.
Exploit / POC
LiveJournal HTML Injection Vulnerability
No exploit is required to leverage this issue.
No exploit is required to leverage this issue.
Solution / Fix
LiveJournal HTML Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
LiveJournal HTML Injection Vulnerability
References:
References:
- Product Home Page (LiveJournal)
- LiveJournal XSS (Joshua Miller