[Full-disclosure] TP-Book <= 1.00 Cross Site Scripting Vulnerabilities
- From: Tamriel <tamriel@xxxxxxx>
- Date: Tue, 25 Jul 2006 21:07:33 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: TP-Book <= 1.00 Cross Site Scripting Vulnerabilities
Release Date: 2006/07/25
Last Modified: 2006/07/25
Author: Tamriel [tamriel at gmx dot net]
Application: TP-Book <= 1.00
Risk: Low
Vendor Status: not contacted
Vendor Site: tobias.kloy.googlepages.com
Overview:
Quote from tobias.kloy.googlepages.com:
"Das Gaestebuch verfuegt über folgende Features:
- Anpassbare Templates
- Viele Systeme, um Dauerspammer auszuschließen
- Admincontrol-Panel
- Einfache Installation durch einen Wizard"
Details:
In your guestbook posts the name will not be checked by the script.
Attackers can so perform cross site scripting attacks.
Solution:
Take a view on PHP's htmlentities function.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
iD8DBQFExnoFqBhP+Twks7oRAvnvAJ93lO3W/o+PmtaTKitjw6qVxkXK0gCfR67W
af8OIcTNC9Ggkrwlk4QLyHo=
=sIc9
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: [Full-disclosure] [ GLSA 200607-10 ] Samba: Denial of Service vulnerability
- Next by Date: Re: [Full-disclosure] Please help to spam abryson@bytefocus.com.
- Previous by thread: [Full-disclosure] [ GLSA 200607-10 ] Samba: Denial of Service vulnerability
- Next by thread: [Full-disclosure] [ MDKSA-2006:131 ] - Updated perl-Net-Server packages fix format string vulnerability
- Index(es):
