|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
ZH2003-26SA (security advisory): TSguestbook Ver. 2.1 Cross-Site Scripting Vulnerability
From: Jim Pangalos (dpangalos
linuxmail.org)
Date: Sun Aug 31 2003 - 21:11:29 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ZH2003-26SA (security advisory): TSguestbook Ver. 2.1 Cross-Site Scripting
Vulnerability
Published: 31/08/2003
Released: 31/08/2003
Name: TSguestbook (http://www.tsinter.net)
Affected System(s): All versions
Issue: Remote attackers can insect XSS script
Author: Trash-80 - dpangaloslinuxmail.org
Description
************
Zone-h Security Team has discovered a flaw in TSguestbook Ver. 2.1.
TSguestbook is an object orientated guestbook. It doesn't require a MySQL
database.
Details
********
It's possibile to insert XSS script in the message variable.
For example try this:
Name: Zone-h Security Team
Email: testtest.com
ICQ: 11111111
Homepage: http://www.zone-h.org
Message:<script>alert('Zone-H')</script>
Solution
*********
The vendor has been contacted and a patch is not yet produced.
Suggestions
************
Filter the message variable.
Trash-80 - www.zone-h.org operator
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]