ERNW Security Advisory
Cross-Site Scripting Vulnerability in Newtelligence DasBlog
Dominick Baier <firstname.lastname@example.org>
A XSS (Cross-Site-Scripting) Vulnerability in DasBlog’s Event and Activity Viewer allows to inject and execute code on the client’s machine. This allows an attacker to transfer the ASP.NET authentication cookie to a server of his choice. The attacker can use this cookie to log on to DasBlog and modify blog entries and configuration settings.
2. Severity : Critical
3. Systems affected
Tested with IE 6 and Firefox 0.93
Examples of script injections
Leading e.g. to the following HTTP request
GET / HTTP/1.1
Install the patch.
The vulnerability was found on the 15th August 2004. The author was contacted on the same day with a immediate response. The patch has been provided on the 30.August 2004
The informations in this advisory are provided “AS IS” without warranty
of any kind. In no event shall the authors be liable for any damages
whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages due to the misuse of any
information provided in this advisory.