|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-disclosure] Guesbook Pro XSS & HTML Injection
From: SoulBlack Group (soulblacktm
gmail.com)
Date: Tue May 10 2005 - 19:36:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
============================================================
============================================================
Title: Guestbook PRO
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 10/05/2005
Severity: Medium. defacement website
Affected version: <= v3.2.1
vendor: PixySOft.
============================================================
============================================================
* Summary *
Guestbook PRO is an advanced guestbook for WebApp.
------------------------------------------------------------------------------------------------------------------------
* Problem Description *
A new vulnerability is in the content and title of msg, when not controlling the
entrance of characters, being able to inject HTML code.
------------------------------------------------------------------------------------------------------------------------
* Example *
Type in the title or content of msg
<script>alert(document.cookie)</script>
<iframe src=http://othersite/sb.php>
------------------------------------------------------------------------------------------------------------------------
* Fix *
Contact the Vendor.
------------------------------------------------------------------------------------------------------------------------
* References *
http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt
------------------------------------------------------------------------------------------------------------------------
* Credits *
Vulnerability reported by SoulBlack Security Research
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]