Full Disclosure mailing list archives
Guesbook Pro XSS & HTML Injection
From: SoulBlack Group <soulblacktm () gmail com>
Date: Tue, 10 May 2005 21:36:58 -0300
============================================================ ============================================================ Title: Guestbook PRO Vulnerability discovery: SoulBlack - Security Research - http://soulblack.com.ar Date: 10/05/2005 Severity: Medium. defacement website Affected version: <= v3.2.1 vendor: PixySOft. ============================================================ ============================================================ * Summary * Guestbook PRO is an advanced guestbook for WebApp. ------------------------------------------------------------------------------------------------------------------------ * Problem Description * A new vulnerability is in the content and title of msg, when not controlling the entrance of characters, being able to inject HTML code. ------------------------------------------------------------------------------------------------------------------------ * Example * Type in the title or content of msg <script>alert(document.cookie)</script> <iframe src=http://othersite/sb.php> ------------------------------------------------------------------------------------------------------------------------ * Fix * Contact the Vendor. ------------------------------------------------------------------------------------------------------------------------ * References * http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt ------------------------------------------------------------------------------------------------------------------------ * Credits * Vulnerability reported by SoulBlack Security Research ============================================================ -- SoulBlack - Security Research http://www.soulblack.com.ar _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Guesbook Pro XSS & HTML Injection SoulBlack Group (May 10)