CVE-2006-1205

Name of the Vulnerable Software and Affected Versions myWebland myBloggie versions 2.1.3 beta and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different PHP files. This can be achieved through the confirmredirect and post id parameters in delcomment.php, the del and message parameters in upload.php, the errormsg parameter in addcat.php, edituser.php, adduser.php, and editcat.php, the trackback url parameter in add.php, the id parameter in deluser.php, the cat id parameter in delcat.php, and the post id parameter in del.php. These parameters are reachable from various files, including index.php and admin.php.

Recommendations For myWebland myBloggie versions 2.1.3 beta and earlier, consider disabling the affected parameters, such as confirmredirect, post id, del, message, errormsg, trackback url, id, cat id, to minimize the risk of exploitation until a patch is available. Restrict access to the vulnerable PHP files, including delcomment.php, upload.php, addcat.php, edituser.php, adduser.php, editcat.php, add.php, deluser.php, delcat.php, and del.php, to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this issue.