lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060504150938.8466.qmail@securityfocus.com>
Date: 4 May 2006 15:09:38 -0000
From: omnipresent@...il.it
To: bugtraq@...urityfocus.com
Subject: CuteGuestbook XSS attack


------------------------------------------------------------------
          - Cute Guestbook Remote XSS Exploit -
   -= http://colander.altervista.org/advisory/CuteGuestbook.txt =-
------------------------------------------------------------------

			-= Cute Guestbook =-



Omnipresent
May 04, 2006


Vunerability(s):
----------------
XSS Exploit


Product:
--------
Cute Guestbook

Vendor:
--------
http://www.scriptsez.net/index.php?action=detail&id=1086399301


Description of product:
-----------------------

PHP based guestbook requires no configuration and no database. Features: Bad words filter, number of messages per page, 
total messages to keep in record, emoticons with comments and much more.

Platform(s):  	linux, windows
Date Added: 	Jun 5, 2004
Last Updated: 	Feb 11, 2006
Author: 	Scriptsez Inc.


Vulnerability / Exploit:
------------------------

The applications Cute Guestbook is vulnerable to an XSS (Cross-Site Scripting) Attack.

PoC / Proof of Concept:
-----------------------

An attacker can go to this URL:

http://www.victim_host/[path]/guestbook.php?action=sign

or

http://www.victim_host/[path]/guestbook.php

and then click on:

Click here to sign our Guestbook

Then insert in the field Name the Nick and in the field Comments put XSS like:
<script>alert("You are vulnerabile to XSS")</script>



Additional Informations:
------------------------

google dorks: "Powered By:Cute Guestbook"

Vendor Status
-------------

Not informed!

Credits:
--------
omnipresent
omnipresent@...il.it


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ