Sakki's guestbook V.1.01 script injection vulnerability.

From: drG4njubas (drG4njat_private)
Date: Thu Apr 03 2003 - 06:05:22 PST

Next message: Brian Moon: "Re: Phorum 3.4 Cross Site Scripting"

Previous message: Kurt Seifried: "Re: BEA WebLogic internal hostname disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This advisory can be found at www.blacktigerz.org.

Description:
Easy to manage and configure asp powered guestbook.
Works with MS Access database or without it.

Vendor:
http://www.sakki.net

Vulnerability:
gb.asp neglects filtering user input allowing for script injection to
the guestbook via 
"name" , "city/state" and "own url" fields. The injected script will be
executed in anyones 
browser who visits the guestbook.
____________________________
Best Regards,   drG4njubas
Black Tigerz Research Group
http://www.blacktigerz.org

Next message: Brian Moon: "Re: Phorum 3.4 Cross Site Scripting"
Previous message: Kurt Seifried: "Re: BEA WebLogic internal hostname disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 15:44:55 PST