lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed May 11 01:37:04 2005
From: soulblacktm at gmail.com (SoulBlack Group)
Subject: Guesbook Pro XSS & HTML Injection

============================================================

============================================================
Title: Guestbook PRO
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 10/05/2005
Severity: Medium. defacement website
Affected version:  <= v3.2.1
vendor: PixySOft.
============================================================

============================================================

* Summary *

Guestbook PRO is an advanced guestbook for WebApp.

------------------------------------------------------------------------------------------------------------------------

* Problem Description *

A new vulnerability is in the content and title of msg, when not controlling the
entrance of  characters, being able to inject HTML code.

------------------------------------------------------------------------------------------------------------------------

* Example *

Type in the title or content of msg

<script>alert(document.cookie)</script>

<iframe src=http://othersite/sb.php>

------------------------------------------------------------------------------------------------------------------------

* Fix *

Contact the Vendor.

------------------------------------------------------------------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt

------------------------------------------------------------------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ