BBCode XSS Vulnerabilities in My Blog

Summary

Vulnerability: BBCode XSS Vulnerabilities in My Blog
Discovered: 2006.02.13
Last Update: 2006.02.16 CVE entry added
ID: EV0079
CVE: CVE-2006-0735
Risk Level: low
Type: Cross Site Scripting
Status: Patched
Vendor: n/a
Vulnerable Software: My Blog (http://fuzzymonkey.net/cgi-bin/download.cgi?file=blog)
Version: My Blog 1.63
PoC/Exploit: Available
Solution: Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

Cross Site Scripting found in My Blog (http://fuzzymonkey.net/cgi-bin/download.cgi?file=blog) script.

Arbitrary script code insertion is possible in BBcode [url] and [img] tags.

BBcode Cross-Site Scripting Examples:

[img]javascript:alert(123)[/img]

[url=javascript:alert(123)]Click me[/url]

Install new version: 1.65 or replace BBCode.pm module by new one from:
http://menno.b10m.net/perl/dists/HTML-BBCode-1.05.tar.gz