Bugtraq mailing list archives
CGI-City's CCGuestBook Script Injection Vulns
From: "BrainRawt ." <brainrawt () hotmail com>
Date: Sat, 29 Mar 2003 18:47:04 +0000
CGI-City's CCGuestBook Script Injection Vulnerabilities Discovered By BrainRawt (brainrawt () hotmail com) About CCGuestBook: ------------------ CC Guestbook is a simple guestbook program that is very easy to configure and install. It features a notification facility which sends an email alert to the guestbook owner whenever new entries are made. It may also be used as a post-it board to allow visitors to a web site to just post messages. CCGuestBook can be downloaded from the following address. http://www.icthus.net/CGI-City/scr_cgicity.shtml#CCGUEST Vendor Contact: ---------------- 1-30-03 Emailed cgicity () icthus net No Response Vulnerability: ---------------- cc_guestbook.pl neglects filtering user input allowing for script injection to the guestbook via "name" and "webpage title". The injected script will be executed in anyones browser who visits the guestbook. Exploit (POC): ---------------- <script>alert('obvious?')</script> _________________________________________________________________Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Current thread:
- CGI-City's CCGuestBook Script Injection Vulns BrainRawt . (Mar 29)