Philip Chinery's Guestbook 1.1 - Script Injection

EDB-ID:

21406


Platform:

CGI

Published:

2002-04-21

source: http://www.securityfocus.com/bid/4566/info

Philip Chinery's Guestbook is freely available guestbook software. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

Philip Chinery's Guestbook does not filter script code from form fields. As a result, it is possible for an attacker to inject script code into pages that are generated by the guestbook. Additionally, script code is not filitered from URL parameters, making the guestbook prone to cross-site scripting attacks.

This issue has been reported for Philip Chinery's Guestbook version 1.1. Other versions may also be affected.

http://[target]/cgi-bin/guestbook.pl?action=sign&cwrite=none&Name=<script>alert("gotcha!");</script>&EMail=example@example.com&Text=css%20exam
ple