[29550] in bugtraq
CGI-City's CCGuestBook Script Injection Vulns
daemon@ATHENA.MIT.EDU (BrainRawt .)
Sat Mar 29 15:08:04 2003
From: "BrainRawt ." <brainrawt@hotmail.com>
To: bugtraq@securityfocus.com
Date: Sat, 29 Mar 2003 18:47:04 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F110WqBD4nCGU93bbgR00058cef@hotmail.com>
CGI-City's CCGuestBook Script Injection Vulnerabilities
Discovered By BrainRawt (brainrawt@hotmail.com)
About CCGuestBook:
------------------
CC Guestbook is a simple guestbook program that is very easy
to configure and install. It features a notification facility
which sends an email alert to the guestbook owner whenever new
entries are made. It may also be used as a post-it board to
allow visitors to a web site to just post messages.
CCGuestBook can be downloaded from the following address.
http://www.icthus.net/CGI-City/scr_cgicity.shtml#CCGUEST
Vendor Contact:
----------------
1-30-03 Emailed cgicity@icthus.net
No Response
Vulnerability:
----------------
cc_guestbook.pl neglects filtering user input allowing for script
injection to the guestbook via "name" and "webpage title". The
injected script will be executed in anyones browser who visits
the guestbook.
Exploit (POC):
----------------
<script>alert('obvious?')</script>
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
