Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

CGI-City's CCGuestBook Script Injection Vulns
From: "BrainRawt ." <brainrawt () hotmail com>
Date: Sat, 29 Mar 2003 18:47:04 +0000
CGI-City's CCGuestBook Script Injection Vulnerabilities
Discovered By BrainRawt (brainrawt () hotmail com)

About CCGuestBook:
------------------
CC Guestbook is a simple guestbook program that is very easy
to configure and install. It features a notification facility
which sends an email alert to the guestbook owner whenever new
entries are made. It may also be used as a post-it board to
allow visitors to a web site to just post messages.

CCGuestBook can be downloaded from the following address.

http://www.icthus.net/CGI-City/scr_cgicity.shtml#CCGUEST


Vendor Contact:
----------------
1-30-03 Emailed cgicity () icthus net

No Response

Vulnerability:
----------------
cc_guestbook.pl neglects filtering user input allowing for script
injection to the guestbook via "name" and "webpage title".  The
injected script will be executed in anyones browser who visits
the guestbook.


Exploit (POC):
----------------
<script>alert('obvious?')</script>







_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

  By Date           By Thread  

Current thread:
  • CGI-City's CCGuestBook Script Injection Vulns BrainRawt . (Mar 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]