[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

episodex guestbook security bypass & html injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: episodex guestbook security bypass & html injection
From: farhad koosha <farhadkey@xxxxxxxxx>
Date: 20 May 2005 02:25:26 -0000


Vendor URL : http://www.episodex.de

HTML Injection :

"Name" & other fields in "default.asp" are not validated.
Script code will be executed in the user's browser session, when the entry is 
viewed.

Security Bypass :

It is possible to edit settings without authentication by accessing the scripts 
"admin.asp"

http://www.bahadorlover.com

3nitroToloen (!)

Prev by Date: worm "postcard" e-mail issue
Next by Date: Security contact for Trillian
Previous by thread: worm "postcard" e-mail issue
Next by thread: Security contact for Trillian
Index(es):
- Date
- Thread