[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Guesbook Pro XSS & HTML Injection
From:       SoulBlack Group <soulblacktm () gmail ! com>
Date:       2005-05-11 0:36:58
Message-ID: bf9e9116050510173676fc0be6 () mail ! gmail ! com
[Download RAW message or body]

============================================================

============================================================
Title: Guestbook PRO
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 10/05/2005
Severity: Medium. defacement website
Affected version:  <= v3.2.1
vendor: PixySOft.
============================================================

============================================================

* Summary *

Guestbook PRO is an advanced guestbook for WebApp.

------------------------------------------------------------------------------------------------------------------------


* Problem Description *

A new vulnerability is in the content and title of msg, when not controlling the
entrance of  characters, being able to inject HTML code.

------------------------------------------------------------------------------------------------------------------------


* Example *

Type in the title or content of msg

<script>alert(document.cookie)</script>

<iframe src=http://othersite/sb.php>

------------------------------------------------------------------------------------------------------------------------


* Fix *

Contact the Vendor.

------------------------------------------------------------------------------------------------------------------------


* References *

http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt

------------------------------------------------------------------------------------------------------------------------


* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic