Two vulnerabilities have been identified in JBlog, which could be exploited by attackers to gain unauthorized access to an affected application or execute arbitrary scripting code.

The first issue is caused by missing authentication checks in the "admin/ajoutaut.php" script, which could be exploited by attackers to create or delete arbitrary accounts (e.g. admin) and compromise an affected application.

The second vulnerability caused by input validation errors in the "index.php" and "recherche.php" scripts when processing user-supplied parameters, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

Affected Products

JBlog version 1.0 and prior

Solution

VUPEN Security is not aware of any vendor-supplied patch.

References

http://www.vupen.com/english/advisories/2007/2611

Credits

Vulnerabilities reported by S4mi.

Changelog

2007-07-23 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.