|
|
Levcgi.coms MyGuestbook JavaScript Injection Vulnerability: msg#00431security.bugtraq
___________ ____________ ____ __ ___ ______________ |\ ____ \ |\ ____ \ |\ \|\ \|\ \ |\_____ ____\ | \ \__|\ \ | \ \__|\ \ | \ \ \ \ \ \ | | |\ \ | \ \ ___ | \ \ ____ \ \ \ \_| \_| \ \|___| \ \__| \ \ \_|\ \_ \ \ \__|\ \ \ \ _ \ \ \ \ \ \ \\ \ \ \ \ \ \ \ \ \ \ |\ http://rawt.daemon.sh \ \___\\ \___\ \ \___\ \ \___\ \ \____| \_____\ \ \___\ \ | | \ | | \ | | \ | | \ | |\ | | \ | | \|___| \|___| \|___| \|___| \|___| \|____| \|___| Levcgi.coms MyGuestbook JavaScript Injection Vulnerability Discovered By BrainRawt (brainrawt@xxxxxxxxxxx) About MyGuestbook: ------------------ Highly customizable guestbook that was released on Feb. 20, 2002, and can be downloaded at http://www.levcgi.com/programs.cgi?program=myguestbook According to the website, ...myGuestbook has been downloaded 1298 times! Vulnerable (tested) Versions: -------------------- MyGuestbook v 1.0 Vendor Contact: ---------------- 4-28-02 - Emailed lev@xxxxxxxxxxxxxxxxxxx 4-30-02 - No Reply from the author and I have decided not to wait since I never got a reply about another concern i had several months ago involving one of his cgi scripts. Vulnerability: ---------------- myguestbook inproperly filters input to the guestbook making the guestbook prone to cross-site scripting attacks by malicious visitors to the site. This could be a medium to high concern when mixed with a website that uses cookies. Exploit (POC): ---------------- Sign up and post using the "name" <script>alert('evil+java+script+here')</script> or When posting comments just insert the <script>alert('evil+java+script+here')</script> to the comments field. -------------------------------------------------------------------------- Knowledge is Power! How Powerful are you? - BrainRawt _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | ISS Advisory: Remote Denial of Service Vulnerability in RealSecure Network Sensor: 00431, X-Force |
|---|---|
| Next by Date: | 3CDaemon DoS exploit: 00431, skyrim msh |
| Previous by Thread: | ISS Advisory: Remote Denial of Service Vulnerability in RealSecure Network Sensori: 00431, X-Force |
| Next by Thread: | 3CDaemon DoS exploit: 00431, skyrim msh |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |