CDRInfo Forum CDRInfo Forum

Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

Blog Technologies Vulnerable to Hackers   Logged in as: Guest
Viewers: 1035 You can click here to see Today's Posts | Most Active Topics | Posts Since Last Visit
  Printable Version
All Forums >> [News Around The Web] >> Security News >> Blog Technologies Vulnerable to Hackers Page: [1]
Login
Message << Older Topic   Newer Topic >>
Blog Technologies Vulnerable to Hackers - 10/3/2006 5:21:45 AM   
cadoo


Posts: 6810
Joined: 8/1/2006
From: Serbia
Status: offline
Cenzic today announced that researchers in the company's CIA (Cenzic Intelligent Analysis) Lab have discovered a cross-site scripting vulnerability in Blojsom, a Java-based multi-blog software package that is the underlying technology for such blogs as Apple Computer's OS X Server Weblog Server. This vulnerability has the potential to compromise a user's account.

According to Cenzic analysts, users who register and publish on a blog site based on Blojsom can be unknowingly left susceptible to malicious activities. Other leading blog servers have also recently been cited as vulnerable. [Editor's Note: Please see Cenzic press release, "Cenzic Intelligent Analysis Lab Identifies Potentially Threatening Application Vulnerabilities in Blog Technology" at http://easypr.marketwire.com/easyir/prssrel.do?easyirid=308DDC21CFAD2E72&version=live&prid=166721&releasejsp=release. Cross-Site Scripting typically involves executing commands in a user's browser to display unintended content, or with the intent of stealing the user's login credentials or other personal information. This information can be used by the attacker to access web sites and services for which the compromised credentials are valid (e.g., identity theft). In some cases, the attacker might be able to use this information to hijack or further compromise the user's HTTP sessions.

Once this vulnerability was discovered, the Blojsom team was immediately notified and has applied a fix which is available in Blojsom 2.32. Users can be classified as both, users of a blogging site running Blojsom as well as users who actually host a Blojsom weblogging application. Cenzic's findings have been submitted to CERT (tracking number VU#366900) and have been verified by Bugtraq (BUGTRAQ #20026 http://www.securityfocus.com/bid/20026/info, http://www.securityfocus.com/archive/1/446009). Cenzic has also submitted signatures to Snort (www.snort.org), which are part of the Snort community rule set. Sig Ids SIDs 100000895-100000899.

CIA specializes in the continuous research of application vulnerabilities and the development of remediation strategies to assist customers with their web application security needs in enterprise environments. Since discovering the hole, Cenzic's research professionals have worked with the Blojsom team to provide counsel and support in addressing the issue.

Using a proprietary formula for calculating the severity of vulnerability information, Cenzic deemed this a threat worth recognition not only due to the technical aspects inherent to the threat, but also because of the popularity and widespread use of Blojsom technology.

"Blojsom and other popular blog technologies have been identified by the CIA Lab for cross-site scripting vulnerabilities, which fortunately can be fixed relatively quickly," said Ambarish Malpini, CTO of Cenzic. "Cenzic protects web applications not only against common threats such as these but also more serious threats such as phishing that could provide attackers access to confidential user information."


_____________________________


http://www.cdrinfo.com/
Post #: 1
Page:   [1]
All Forums >> [News Around The Web] >> Security News >> Blog Technologies Vulnerable to Hackers Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts




Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.063