Cross Site Script Exploit in BlogSphere V3.0.1 Beta 7 and lower

A XSS exploit has been brought to my attention
in BlogSphere V3.0.1 Beta 7 and earlier.  The exploit works by adding
javascript to one of the fields used for adding comments to a blogsphere
V3.0.1 based site.

I am working on a fix for the exploit
and should have it release very quickly however for the moment I would
suggest disabling comments in the master configuration.

Tagged with:
Posted in Uncategorized
6 comments on “Cross Site Script Exploit in BlogSphere V3.0.1 Beta 7 and lower
  1. Anonymous says:

    Does this effect version 2 as well? I haven’t had time to upgrade yet…


  2. What he said. Version 2.5.1 here.


  3. I can’t tell what version my blogsphere is (its old, and its not the same version it started out as) but, mine was definiatly vulnerable.

    In mine, I updated the 3rd column formula in the view “HTMLCommentsBottom” to replace out the less than and greater than signs with html > and <

    in hindsite, I probably could have updated my selection formula to exclude the documents all together.

    This formula seems to work.

    SELECT Form=”StoryResponse” | ( Form = “StoryTrackBack” & TrackBackStatus = “Verified”) & !@Contains( nameAuthor +txtURL+Body ;”<“)

    I only tracked down the if statements of the paths that my blog was configured with, I suspect that “HTMLCommentsTop” might need that fomula if your blog is configured differently than mine.

    Note that on older versions, the JS strips the < and >, but, its not tricky to get around that from the client. the body still needs to be addressed.

    I’ve been trying to get the beta working, but still having trouble finding out which documents need to exist and what they need to have in them. I suppose that I just have not looked hard enough for instructions.


  4. Also, putting this input validation formula in NameAuthor, txtURL and Body should do the trick.
    @If(@Contains( @LowerCase(@thisvalue);”<script”);@failure(“Cross site scripting is not allowed”);@Success);

    I did notice with the selsection formula trick from above, the counts are off, so, there is somehere else that that formula needs to be aplied too.


  5. What_A_Legend says:

    Hello people, I am the person whom found this exploit it was a simple validation error located in the ‘Name’ field, from the testing I have done on some over blogsphere platforms I found all versions can be attacked via this injection.


  6. Declan Lynch says:

    A new build of BlogSphere V3 shouldbe available by Friday. I’m still doing some testing to make sure that I managed to close the XSS exploit.If you are still running on BlogSphere V2.x then I suggest you look at the WebQuerySave agent for new comments. This is where I have added the checks for the XSS in V3.


Comments are closed.

%d bloggers like this: