This advisory can be found at www.blacktigerz.org.
Description:
Easy to manage and configure asp powered guestbook.
Works with MS Access database or without it.
Vendor:
http://www.sakki.net
Vulnerability:
gb.asp neglects filtering user input allowing for script injection to
the guestbook via
"name" , "city/state" and "own url" fields. The injected script will be
executed in anyones
browser who visits the guestbook.
____________________________
Best Regards, drG4njubas
Black Tigerz Research Group
http://www.blacktigerz.org
Description:
Easy to manage and configure asp powered guestbook.
Works with MS Access database or without it.
Vendor:
http://www.sakki.net
Vulnerability:
gb.asp neglects filtering user input allowing for script injection to
the guestbook via
"name" , "city/state" and "own url" fields. The injected script will be
executed in anyones
browser who visits the guestbook.
____________________________
Best Regards, drG4njubas
Black Tigerz Research Group
http://www.blacktigerz.org
[ reply ]