[VIM] QBv14 is a real downloadable product

Stuart Moore smoore at securityglobal.net
Thu May 25 09:35:06 EDT 2006


This particular report has essentially been reported before.  The real 
product name appears to be QuickBlogger, and QBv14 is the particular 

You had a good post about this in April [see also CVE-2006-1791]:


Donnie Werner also reported back in 2005 that some of the fields are not 


So, most likely, between CVE-2005-4785 and CVE-2006-1791, this report by 
Nomenumbra is a repeat and thats why it isn't showing up in the VDBs.

I seem to think that another recent post by Nomenumbra was a repeat, as 


Steven M. Christey wrote:
> Ref:
>    BUGTRAQ:20060522 QBv14 XSS
>    URL:http://www.securityfocus.com/archive/1/archive/1/434823/100/0/threaded
> I noticed vdb's haven't touched this yet.  They must still be poring
> over the comprehensive details that were provided for this wildly
> popular product.
> A zip file was available from here:
>   http://www.hotscripts.pl/downloads/php6/?M=A
> I dunno if it's got XSS, but I glanced at acc.php and saw this:
>   if ($_GET['request'] == "") {
>   $page = "actions/main.php";
>   }
>   else {
>   $page = "actions/" . $_GET['request'] . ".php";
>   }
>   include $page;
> which, um, looks kinda suspicious.
> - Steve

More information about the VIM mailing list