============================================================ ============================================================ Title: Guestbook PRO Vulnerability discovery: SoulBlack - Security Research - http://soulblack.com.ar Date: 10/05/2005 Severity: Medium. defacement website Affected version: <= v3.2.1 vendor: PixySOft. ============================================================ ============================================================ * Summary * Guestbook PRO is an advanced guestbook for WebApp. ------------------------------------------------------------------------------------------------------------------------ * Problem Description * A new vulnerability is in the content and title of msg, when not controlling the entrance of characters, being able to inject HTML code. ------------------------------------------------------------------------------------------------------------------------ * Example * Type in the title or content of msg <script>alert(document.cookie)</script> <iframe src=http://othersite/sb.php> ------------------------------------------------------------------------------------------------------------------------ * Fix * Contact the Vendor. ------------------------------------------------------------------------------------------------------------------------ * References * http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt ------------------------------------------------------------------------------------------------------------------------ * Credits * Vulnerability reported by SoulBlack Security Research ============================================================ -- SoulBlack - Security Research http://www.soulblack.com.ar
