[Full-disclosure] Guesbook Pro XSS & HTML Injection

From: SoulBlack Group (soulblacktm_at_gmail.com)
Date: 05/11/05

Next message: Luke Skywalker: "[Full-disclosure] RE: Invitation to www.banneretcs.com Hacking Contest"

Previous message: Nick FitzGerald: "RE: [Full-disclosure] Useless tidbit (MS AntiSpyware)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 10 May 2005 21:36:58 -0300
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, news@securiteam.com, sec@soulblack.com.ar, bugs@securitytracker.com, submissions@packetstormsecurity.org, vuln@secunia.com, alerts_advisories@net-security.org

============================================================

============================================================
Title: Guestbook PRO
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 10/05/2005
Severity: Medium. defacement website
Affected version: <= v3.2.1
vendor: PixySOft.
============================================================

============================================================

* Summary *

Guestbook PRO is an advanced guestbook for WebApp.

------------------------------------------------------------------------------------------------------------------------

* Problem Description *

A new vulnerability is in the content and title of msg, when not controlling the
entrance of characters, being able to inject HTML code.

------------------------------------------------------------------------------------------------------------------------

* Example *

Type in the title or content of msg

------------------------------------------------------------------------------------------------------------------------

* Fix *

Contact the Vendor.

------------------------------------------------------------------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt

------------------------------------------------------------------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Next message: Luke Skywalker: "[Full-disclosure] RE: Invitation to www.banneretcs.com Hacking Contest"

Previous message: Nick FitzGerald: "RE: [Full-disclosure] Useless tidbit (MS AntiSpyware)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

PHP Stat Administrative User Authentication Bypass
... PHP Stat Administrative User Authentication Bypass ... Vulnerability reported by SoulBlack Security Research ...
(Bugtraq)
Cookie Cart Default Installation Multiple Vulnerabilities
... Remote users can obtain several data of Credits Cards, ... Vulnerability reported by SoulBlack Security Research ...
(Bugtraq)
[Full-disclosure] ExoPHPDesk is helpdesk written in PHP/SQL.
... Remote Users Can Execute Arbitrary Code. ... Vulnerability reported by SoulBlack Security Research. ...
(Full-Disclosure)
Guesbook Pro XSS & HTML Injection
... Guestbook PRO is an advanced guestbook for WebApp. ... A new vulnerability is in the content and title of msg, ... Vulnerability reported by SoulBlack Security Research ...
(Bugtraq)
PowerDownload Remote File Inclusion
... Contact the Vendor. ... Vulnerability reported by SoulBlack Security Research ...
(Bugtraq)