| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 4 May 2006 15:09:38 -0000
From: omnipresent@...il.it
To: bugtraq@...urityfocus.com
Subject: CuteGuestbook XSS attack
------------------------------------------------------------------
- Cute Guestbook Remote XSS Exploit -
-= http://colander.altervista.org/advisory/CuteGuestbook.txt =-
------------------------------------------------------------------
-= Cute Guestbook =-
Omnipresent
May 04, 2006
Vunerability(s):
----------------
XSS Exploit
Product:
--------
Cute Guestbook
Vendor:
--------
http://www.scriptsez.net/index.php?action=detail&id=1086399301
Description of product:
-----------------------
PHP based guestbook requires no configuration and no database. Features: Bad words filter, number of messages per page,
total messages to keep in record, emoticons with comments and much more.
Platform(s): linux, windows
Date Added: Jun 5, 2004
Last Updated: Feb 11, 2006
Author: Scriptsez Inc.
Vulnerability / Exploit:
------------------------
The applications Cute Guestbook is vulnerable to an XSS (Cross-Site Scripting) Attack.
PoC / Proof of Concept:
-----------------------
An attacker can go to this URL:
http://www.victim_host/[path]/guestbook.php?action=sign
or
http://www.victim_host/[path]/guestbook.php
and then click on:
Click here to sign our Guestbook
Then insert in the field Name the Nick and in the field Comments put XSS like:
<script>alert("You are vulnerabile to XSS")</script>
Additional Informations:
------------------------
google dorks: "Powered By:Cute Guestbook"
Vendor Status
-------------
Not informed!
Credits:
--------
omnipresent
omnipresent@...il.it
Powered by blists - more mailing lists