Guestbook Pro Xss & Html Injection

Full Version: Guestbook Pro Xss & Html Injection

GovernmentSecurity.org > General GSO > Exploit & Vulnerability Mailing List Archives

qcred11

May 11 2005, 08:24 PM

QUOTE

Title: Guestbook PRO
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 10/05/2005
Severity: Medium. defacement website
Affected version: <= v3.2.1
vendor: PixySOft.

* Summary *

Guestbook PRO is an advanced guestbook for WebApp.

* Problem Description *

A new vulnerability is in the content and title of msg, when not controlling the
entrance of characters, being able to inject HTML code.

* Example *
Type in the title or content of msg

<script>alert(document.cookie)</script>

<iframe src=http://othersite/sb.php>

* Fix *
Contact the Vendor.

Source: http://seclists.org/lists/bugtraq/2005/May/0127.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.