BlogPHP 2.0 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities

Author: David Sopas Ferreira
type: webapps
platform: php
port: 
date_added: 2008-05-10  
date_updated: 2016-12-09  
verified: 1  
codes: CVE-2008-6631;OSVDB-45038  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comBlogPHPv2.zip  

raw file: 31774.txt  

source: https://www.securityfocus.com/bid/29133/info

BlogPHP is prone to multiple input-validation vulnerabilities, including a cross-site scripting issue, an HTML-injection issue, and a cookie-manipulation issue.

Attackers can exploit these issues to execute arbitrary script code in the context of the webserver, compromise the application, steal cookie-based authentication credentials from legitimate users of the site, modify the way the site is rendered, and gain access as an arbitrary user.

BlogPHP 2.0 is vulnerable; other versions may also be affected.

http://www.example.com/index.php?act=sendmessage&user=admin[XSS]