This advisory can be found at www.blacktigerz.org Date: 08.04.2003 Subject: ISC guestbook script injection vulnerability. Description: Free, easy to use asp powered guestbook. Main fetures are: web-based administration, bad word filtering. Vendor: http://www.isc-online.at Download: http://www.isc-online.at/downloads/gb.zip Vulnerability: gb_eintragen.asp neglects filtering user input allowing for script injection to the guestbook via "Ihr Name", "Ihre EMail" and "Ihre Homepage" fields. The injected script will be executed in anyones browser who visits the guestbook. Black Tigerz Research Group We are:Areus,Barracuda,n1Tr0f4n,Velzevol,drG4njubas. Please visit our website: http://www.blacktigerz.org
