Vulnerability Assessment & Network Security Forums

If through a vulnerability assessment, a network security issue is detected for the vulnerability below, applying the appropriate security patches in a timely matter is very important. If you have detected that your system has already been compromised, following CERT's Network Security recovery document will assist with recommended steps for system recovery.

Home >> Browse Vulnerability Assessment Database >> CGI abuses >> myBloggie Multiple Vulnerabilities

Vulnerability Assessment Details

myBloggie Multiple Vulnerabilities

Vulnerability Assessment Summary
Searches for the existence of a myBloggie

Detailed Explanation for this Vulnerability Assessment

The remote host is running myBloggie, a web log system written in PHP.

The remote version of this software has been found contain multiple
vulnerabilities:

* Full Path Disclosure
Due to an improper sanitization of the post_id parameter, it's possible
to show the full path by sending a simple request.

* Cross-Site Scripting (XSS)
Input passed to 'year' parameter in viewmode.php is not properly sanitised
before being returned to users. This can be exploited execute arbitrary
HTML and script code in a user's browser session in context of a vulnerable
site.

* SQL Injection
When myBloggie get the value of the 'keyword' parameter and put it in the
SQL query, don't sanitise it. So a remote user can do SQL injection attacks.

Solution: Patches have been provided by the vendor and are available at:
http://mywebland.com/forums/viewtopic.php?t=180

Risk factor: High

Networks Security ID: 13192, 13507

Vulnerability Assessment Copyright: This script is Copyright (C) 2005 Noam Rathaus

Cables, Connectors