AOH :: HP Unsorted P :: B06-5015.HTM

Pebble 2.0.0 RC XSS vulnerability [Paolo Pereg



Pebble 2.0.0 RC XSS vulnerability
Pebble 2.0.0 RC XSS vulnerability



Software: Pebble
Version: 2.0.0 RC1 - 2.0.0 RC2
Author: Simon Brown
Homepage: http://pebble.sourceforge.net 

Abstract
Pebble is a blogging system built upon java and XML. There is no
database to store the data into but just XML is used instead.

Description

Vulnerability: XSS vulnerability in "search" functionality. Query
string wasn't parsed for HTML and while printing it out for "Search
with google" link, the XSS can be done.

Workaround
Disable "Search with google" link in the user result page or, better,
update to the latest version in subversion.

History

Author contacted: 20 september
Author replyed: 20 september
Patch published in Subversion archive: 27 september


Disclaimer:

This advisory intended to be informational. No responsibility is taken
for its misuse.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.