hpm_guestbook.cgi JavaScript-Injection

[Christoph Burchert <chburchert () web de>]

Hey dudes :)

Content:
     a) Problem
     b) Affected versions
     c) Exploiting
-------------------------------------------------------

A)
The HTML-function is usually activated in hpm_guestbook.cgi, so you can inject every HTML-code inclusive JavaScript.

B)
I don't know, sorry. In my version on a freespace hoster I couldn't see the version.

C)
You can post the following Proof of Concept code to understand the problem:

<script language="JavaScript">alert("This guestbook is insecure: " + document.location.href);</script>

If you're logged in as the admin of the guestbook and you want to see the posts you'll see that the password of your 
account is in the URL of hpm_login.cgi and the code shows you the URL. If you like you can make a code which sends the 
URL to a PHP-Script. Then you can get the password of the admin.
You have to keep your code in one line!

Cu
Chris