[VulnWatch] BugTraq ID: 5728

From: Bobby Dominguez (bobby.dominguez@corp.terralycos.com)
Date: 09/26/02 

From: "Bobby Dominguez" <bobby.dominguez@corp.terralycos.com>
To: <vulnwatch@vulnwatch.org>, <news@securiteam.com>, <vuldb@securityfocus.com>
Date: Thu, 26 Sep 2002 17:01:04 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Due to a bug in the content filtering engine of HTMLGear's "GuestGear"
application, it was possible for a malicious user to inject arbitrary
JavaScript into a guestbook page, in some browsers. (Various versions of
Internet Explorer were affected, however Netscape/Mozilla browsers were not.)
This bug existed under all guestbook security settings.

Effective in the 9/25/02 release of HTMLGear, this security vulnerability has
been fixed. Additionally, all new guestbooks will now default to the "simple
tags" security level. (Previously, the default was to use the less secure mode
by default.)

- ---
Bobby Dominguez
Terra Lycos, Inc.
Information Security Manager, US
Voice: 781-370-2989
Fax: 781-370-2650


- ----------
This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and should not be forwarded to others without
written consent from the sender. If this message has been received in error,
please immediately notify me via e-mail and delete it. Please note that
Internet e-mail does not guarantee the confidentiality or the proper receipt of
the messages sent. If the addressee of this message does not consent to the
use of Internet e-mail, please communicate it to me immediately.
- ----------

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPZN1kNBSA99T8QD3EQJ3rACgp9IA0/xXai1GATM3xoHvph7vxLMAniGP
pWTMLeOIvWrb8R54HDNr1rCv
=RyXi
-----END PGP SIGNATURE-----

Relevant Pages

  • Risks Digest 24.91
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Adi Shamir's bug attack ... Security company e-mail undercuts user education ...
    (comp.risks)
  • Exim 3.34 and lower.
    ... Its a good time to announce that 2xs security LTD. decided to ... GDB is free software, covered by the GNU General Public License, and you ... will research and fix this bug. ... > the end of the string, reading garbage, causing a segfault, whatever. ...
    (Vuln-Dev)
  • Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
    ... In my book, maybe only in mine, a software bug is security relevant ... or indirect control of a another entity (i.e attacker). ... simply because computers have limited resources. ...
    (Full-Disclosure)
  • Re: [Lit.] Buffer overruns - LONG
    ... effects of security bugs on the intended functionof the ... then I agree that techniques for reducing the impact of a bug ... overrun bug (its hazard) depends on the intended function of the ...
    (sci.crypt)
  • [UNIX] Bugzilla Unauthorized Bug Modification And Information Disclosure Vulnerabilities
    ... Get your security news from a reliable source. ... unauthorized bug modifications possible by a third party. ... Private User Comments and Attachment Summaries Leak In XML Bug Export ... Private Metadata Changes For Attachments Information Leak ...
    (Securiteam)