lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <F110WqBD4nCGU93bbgR00058cef@hotmail.com>
Date: Sat, 29 Mar 2003 18:47:04 +0000
From: "BrainRawt ." <brainrawt@...mail.com>
To: bugtraq@...urityfocus.com
Subject: CGI-City's CCGuestBook Script Injection Vulns


CGI-City's CCGuestBook Script Injection Vulnerabilities
Discovered By BrainRawt (brainrawt@...mail.com)

About CCGuestBook:
------------------
CC Guestbook is a simple guestbook program that is very easy
to configure and install. It features a notification facility
which sends an email alert to the guestbook owner whenever new
entries are made. It may also be used as a post-it board to
allow visitors to a web site to just post messages.

CCGuestBook can be downloaded from the following address.

http://www.icthus.net/CGI-City/scr_cgicity.shtml#CCGUEST


Vendor Contact:
----------------
1-30-03 Emailed cgicity@...hus.net

No Response

Vulnerability:
----------------
cc_guestbook.pl neglects filtering user input allowing for script
injection to the guestbook via "name" and "webpage title".  The
injected script will be executed in anyones browser who visits
the guestbook.


Exploit (POC):
----------------
<script>alert('obvious?')</script>







_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online  
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ