New Vulnerability

From: Joshua P. Miller (jpmiller_at_tds.net)
Date: 10/26/03

  • Next message: dong-h0un U: "Musicqueue multiple local vulnerabilities"
    To: <bugtraq@securityfocus.com>
    Date: Sun, 26 Oct 2003 01:16:56 -0400
    
    

    I would like to submit a vulnerability that I just recently discovered. I
    have already contacted the vendor of the software that I discovered the bug
    in, but they have not gotten back to me. There are two Code Injection/CSS
    vulnerabilities that exist in Guestbook Version 1.51 by Chi Kien Uong
    (www.proxy2.de). Although I have not checked, it would not come as a
    surprise if prior versions are vulnerable as well.

    The first vulnerability arises when HTML is enabled. When a user posts a
    message with HTML in it, the tags that are used are not filtered in any way.
    Thus, anyone viewing the guestbook is vulnerable to attack (redirection,
    cookie stealing, etc.)

    The second vulnerability is quite a bit less severe. When a user submits an
    e-mail address or a URL, double quotation marks are not filtered. So, if the
    first character of the e-mail or URL input is a double quotation mark, all
    data after that is appended to the e-mail or URL link. If I were to submit
    this:

                " onmouseover="alert(document.cookie)

    as my e-mail address or homepage URL, that exact attribute would be added to
    the link. Anyone viewing the guestbook could be attacked in several of the
    same ways as with the first vulnerability that I described. It is less
    severe, though, because they would have to click on or hover over the link
    to initiate the attack.

    These vulnerabilities were discovered on October 23, 2003.

    I would appreciate being informed if this vulnerability gets posted. Thanks!

    Joshua P. Miller
    jpmiller@tds.net


  • Next message: dong-h0un U: "Musicqueue multiple local vulnerabilities"

    Relevant Pages