|
Family: CGI abuses --> Category: attack
myBloggie Multiple Vulnerabilities Vulnerability Scan
Vulnerability Scan Summary Searches for the existence of a myBloggie
Detailed Explanation for this Vulnerability Test
The remote host is running myBloggie, a web log system written in PHP.
The remote version of this software has been found contain multiple
vulnerabilities:
* Full Path Disclosure
Due to an improper sanitization of the post_id parameter, it's possible
to show the full path by sending a simple request.
* Cross-Site Scripting (XSS)
Input passed to 'year' parameter in viewmode.php is not properly sanitised
before being returned to users. This can be exploited execute arbitrary
HTML and script code in a user's browser session in context of a vulnerable
site.
* SQL Injection
When myBloggie get the value of the 'keyword' parameter and put it in the
SQL query, don't sanitise it. So a remote user can do SQL injection attacks.
Solution: Patches have been provided by the vendor and are available at:
http://mywebland.com/forums/viewtopic.php?t=180
Risk factor: High
Click HERE for more information and discussions on this network vulnerability scan.
|