Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
Guesbook Pro XSS & HTML Injection
May 11 2005 12:36AM
SoulBlack Group (soulblacktm gmail com)
============================================================
============================================================
Title: Guestbook PRO
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 10/05/2005
Severity: Medium. defacement website
Affected version: <= v3.2.1
vendor: PixySOft.
============================================================
============================================================
* Summary *
Guestbook PRO is an advanced guestbook for WebApp.
------------------------------------------------------------------------
------------------------------------------------
* Problem Description *
A new vulnerability is in the content and title of msg, when not controlling the
entrance of characters, being able to inject HTML code.
------------------------------------------------------------------------
------------------------------------------------
* Example *
Type in the title or content of msg
<script>alert(document.cookie)</script>
<iframe src=http://othersite/sb.php>
------------------------------------------------------------------------
------------------------------------------------
* Fix *
Contact the Vendor.
------------------------------------------------------------------------
------------------------------------------------
* References *
http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt
------------------------------------------------------------------------
------------------------------------------------
* Credits *
Vulnerability reported by SoulBlack Security Research
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
============================================================
Title: Guestbook PRO
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 10/05/2005
Severity: Medium. defacement website
Affected version: <= v3.2.1
vendor: PixySOft.
============================================================
============================================================
* Summary *
Guestbook PRO is an advanced guestbook for WebApp.
------------------------------------------------------------------------
------------------------------------------------
* Problem Description *
A new vulnerability is in the content and title of msg, when not controlling the
entrance of characters, being able to inject HTML code.
------------------------------------------------------------------------
------------------------------------------------
* Example *
Type in the title or content of msg
<script>alert(document.cookie)</script>
<iframe src=http://othersite/sb.php>
------------------------------------------------------------------------
------------------------------------------------
* Fix *
Contact the Vendor.
------------------------------------------------------------------------
------------------------------------------------
* References *
http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt
------------------------------------------------------------------------
------------------------------------------------
* Credits *
Vulnerability reported by SoulBlack Security Research
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar
[ reply ]