Web application abuses : myBloggie Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.18209

Categoría: Web application abuses

Título: myBloggie Multiple Vulnerabilities

Resumen: myBloggie is prone to multiple vulnerabilities.

Descripción: Summary:
myBloggie is prone to multiple vulnerabilities.

Vulnerability Insight:
The following flaws exist:

- Full Path Disclosure: Due to an improper sanitization of the post_id parameter, it's
possible to show the full path by sending a simple request.

- Cross-Site Scripting (XSS): Input passed to 'year' parameter in viewmode.php is not
properly sanitised before being returned to users. This can be exploited execute
arbitrary HTML and script code in a user's browser session in context of a
vulnerable site.

- SQL Injection: When myBloggie get the value of the 'keyword' parameter and put it in
the SQL query, don't sanitise it. So a remote user can do SQL injection attacks.

Affected Software/OS:
myBloggie 2.1.1 is known to be affected.

Solution:
Patches have been provided by the vendor and are
available at the referenced URL.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2005-1140
BugTraq ID: 13192
http://www.securityfocus.com/bid/13192
Bugtraq: 20050415 myBloggie 2.1.1 (Google Search)
http://www.securityfocus.com/archive/1/395988
Common Vulnerability Exposure (CVE) ID: CVE-2005-1498
BugTraq ID: 13507
http://www.securityfocus.com/bid/13507
Bugtraq: 20050505 Multiple vulnerabilities in myBloggie 2.1.1 (Google Search)
http://marc.info/?l=bugtraq&m=111531904608224&w=2
http://mywebland.com/forums/viewtopic.php?t=180
XForce ISS Database: mybloggie-script-injection(20436)
https://exchange.xforce.ibmcloud.com/vulnerabilities/20436
XForce ISS Database: mybloggie-viewmodephp-xss(20434)
https://exchange.xforce.ibmcloud.com/vulnerabilities/20434
Common Vulnerability Exposure (CVE) ID: CVE-2005-1499
http://secunia.com/advisories/14980
XForce ISS Database: mybloggie-delcomment-bypass-security(20437)
https://exchange.xforce.ibmcloud.com/vulnerabilities/20437
Common Vulnerability Exposure (CVE) ID: CVE-2005-1500
BugTraq ID: 15017
http://www.securityfocus.com/bid/15017
Bugtraq: 20050527 SQL Injection Exploit for myBloggie 2.1.1 - 2.1.2 (Google Search)
http://marc.info/?l=bugtraq&m=111722848308367&w=2
XForce ISS Database: mybloggie-sql-injection(20439)
https://exchange.xforce.ibmcloud.com/vulnerabilities/20439

Copyright Copyright (C) 2005 Noam Rathaus

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.18209
Categoría:	Web application abuses
Título:	myBloggie Multiple Vulnerabilities
Resumen:	myBloggie is prone to multiple vulnerabilities.
Descripción:	Summary: myBloggie is prone to multiple vulnerabilities. Vulnerability Insight: The following flaws exist: - Full Path Disclosure: Due to an improper sanitization of the post_id parameter, it's possible to show the full path by sending a simple request. - Cross-Site Scripting (XSS): Input passed to 'year' parameter in viewmode.php is not properly sanitised before being returned to users. This can be exploited execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. - SQL Injection: When myBloggie get the value of the 'keyword' parameter and put it in the SQL query, don't sanitise it. So a remote user can do SQL injection attacks. Affected Software/OS: myBloggie 2.1.1 is known to be affected. Solution: Patches have been provided by the vendor and are available at the referenced URL. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2005-1140 BugTraq ID: 13192 http://www.securityfocus.com/bid/13192 Bugtraq: 20050415 myBloggie 2.1.1 (Google Search) http://www.securityfocus.com/archive/1/395988 Common Vulnerability Exposure (CVE) ID: CVE-2005-1498 BugTraq ID: 13507 http://www.securityfocus.com/bid/13507 Bugtraq: 20050505 Multiple vulnerabilities in myBloggie 2.1.1 (Google Search) http://marc.info/?l=bugtraq&m=111531904608224&w=2 http://mywebland.com/forums/viewtopic.php?t=180 XForce ISS Database: mybloggie-script-injection(20436) https://exchange.xforce.ibmcloud.com/vulnerabilities/20436 XForce ISS Database: mybloggie-viewmodephp-xss(20434) https://exchange.xforce.ibmcloud.com/vulnerabilities/20434 Common Vulnerability Exposure (CVE) ID: CVE-2005-1499 http://secunia.com/advisories/14980 XForce ISS Database: mybloggie-delcomment-bypass-security(20437) https://exchange.xforce.ibmcloud.com/vulnerabilities/20437 Common Vulnerability Exposure (CVE) ID: CVE-2005-1500 BugTraq ID: 15017 http://www.securityfocus.com/bid/15017 Bugtraq: 20050527 SQL Injection Exploit for myBloggie 2.1.1 - 2.1.2 (Google Search) http://marc.info/?l=bugtraq&m=111722848308367&w=2 XForce ISS Database: mybloggie-sql-injection(20439) https://exchange.xforce.ibmcloud.com/vulnerabilities/20439
Copyright	Copyright (C) 2005 Noam Rathaus