Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
Back to list
|
Post reply
b2evolution XSS Vulnerabilities
Nov 28 2006 07:34PM
tarkus tiifp org
_________________________________________
Security Advisory
_________________________________________
_________________________________________
Severity: Medium
Title: b2evolution XSS Vulnerability
Date: 28.11.06
Author: tarkus (tarkus (at) tiifp (dot) org)
Web: https://tiifp.org/tarkus
Vendor: b2evolution (http://b2evolution.net/)
Affected Product(s): b2evolution 1.8.2 - 1.9 beta
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Description:
------------
http://<victim>/<b2epath>/inc/VIEW/errors/_404_not_found.page.php?bas eurl=[XSS]&app_name=[XSS]
http://<victim>/<b2epath>/inc/VIEW/errors/_410_stats_gone.page.php?ap p_name=[XSS]
http://<victim>/<b2epath>/inc/VIEW/errors/_referer_spam.page.php?ReqU RI=[XSS]&app_name=[XSS]
Workaround:
-----------
Put the following line at the beginning of the files.
if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page directly.' );
Timeline:
---------
Reported to Vendor: 10.11.06
Vendor response: 10.11.06
Patch in CVS: 10.11.06
[ reply ]
Privacy Statement
Copyright 2008, SecurityFocus
Security Advisory
_________________________________________
_________________________________________
Severity: Medium
Title: b2evolution XSS Vulnerability
Date: 28.11.06
Author: tarkus (tarkus (at) tiifp (dot) org)
Web: https://tiifp.org/tarkus
Vendor: b2evolution (http://b2evolution.net/)
Affected Product(s): b2evolution 1.8.2 - 1.9 beta
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Description:
------------
http://<victim>/<b2epath>/inc/VIEW/errors/_404_not_found.page.php?bas eurl=[XSS]&app_name=[XSS]
http://<victim>/<b2epath>/inc/VIEW/errors/_410_stats_gone.page.php?ap p_name=[XSS]
http://<victim>/<b2epath>/inc/VIEW/errors/_referer_spam.page.php?ReqU RI=[XSS]&app_name=[XSS]
Workaround:
-----------
Put the following line at the beginning of the files.
if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page directly.' );
Timeline:
---------
Reported to Vendor: 10.11.06
Vendor response: 10.11.06
Patch in CVS: 10.11.06
[ reply ]