| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bf9e9116050510173676fc0be6@mail.gmail.com> Date: Tue, 10 May 2005 21:36:58 -0300 From: SoulBlack Group <soulblacktm@...il.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, news@...uriteam.com, sec@...lblack.com.ar, bugs@...uritytracker.com, submissions@...ketstormsecurity.org, vuln@...unia.com, alerts_advisories@...-security.org Subject: Guesbook Pro XSS & HTML Injection ============================================================ ============================================================ Title: Guestbook PRO Vulnerability discovery: SoulBlack - Security Research - http://soulblack.com.ar Date: 10/05/2005 Severity: Medium. defacement website Affected version: <= v3.2.1 vendor: PixySOft. ============================================================ ============================================================ * Summary * Guestbook PRO is an advanced guestbook for WebApp. ------------------------------------------------------------------------------------------------------------------------ * Problem Description * A new vulnerability is in the content and title of msg, when not controlling the entrance of characters, being able to inject HTML code. ------------------------------------------------------------------------------------------------------------------------ * Example * Type in the title or content of msg <script>alert(document.cookie)</script> <iframe src=http://othersite/sb.php> ------------------------------------------------------------------------------------------------------------------------ * Fix * Contact the Vendor. ------------------------------------------------------------------------------------------------------------------------ * References * http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt ------------------------------------------------------------------------------------------------------------------------ * Credits * Vulnerability reported by SoulBlack Security Research ============================================================ -- SoulBlack - Security Research http://www.soulblack.com.ar _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists