[38808] in bugtraq

home help back first fref pref prev next nref lref last post

Guesbook Pro XSS & HTML Injection

daemon@ATHENA.MIT.EDU (SoulBlack Group)
Wed May 11 18:58:26 2005

Message-ID: <bf9e9116050510173676fc0be6@mail.gmail.com>
Date: Tue, 10 May 2005 21:36:58 -0300
From: SoulBlack Group <soulblacktm@gmail.com>
Reply-To: SoulBlack Group <soulblacktm@gmail.com>
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com,
        news@securiteam.com, sec@soulblack.com.ar, bugs@securitytracker.com,
        submissions@packetstormsecurity.org, vuln@secunia.com,
        alerts_advisories@net-security.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

============================================================

============================================================
Title: Guestbook PRO
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 10/05/2005
Severity: Medium. defacement website
Affected version:  <= v3.2.1
vendor: PixySOft.
============================================================

============================================================

* Summary *

Guestbook PRO is an advanced guestbook for WebApp.

------------------------------------------------------------------------------------------------------------------------

* Problem Description *

A new vulnerability is in the content and title of msg, when not controlling the
entrance of  characters, being able to inject HTML code.

------------------------------------------------------------------------------------------------------------------------

* Example *

Type in the title or content of msg

<script>alert(document.cookie)</script>

<iframe src=http://othersite/sb.php>

------------------------------------------------------------------------------------------------------------------------

* Fix *

Contact the Vendor.

------------------------------------------------------------------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt

------------------------------------------------------------------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar
home help back first fref pref prev next nref lref last post