MyGuestbook Script Injection Vulnerability

vendor:

MyGuestbook

by:

SecurityFocus

7.5

CVSS

HIGH

Script Injection

CWE

Product Name: MyGuestbook

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix, Linux, Microsoft Windows

2002

MyGuestbook Script Injection Vulnerability

MyGuestbook is freely available guestbook software. It does not adequately filter script code from various fields, which may enable an attacker to inject script code which will be executed in the web client of an arbitrary user who views the guestbook. Attackers may potentially exploit this issue to hijack web content or to steal cookie-based authentication credentials.

Mitigation:

Input validation should be used to ensure that user-supplied data does not contain malicious code.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4651/info

MyGuestbook is freely available guestbook software. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

MyGuestbook does not adequately filter script code from various fields. This may enable an attacker to inject script code which will be executed in the web client of an arbitrary user who views the guestbook.

Attackers may potentially exploit this issue to hijack web content or to steal cookie-based authentication credentials. 

Sign up and post using the "name"
<script>alert('evil+java+script+here')</script>

or

When posting comments just insert the
<script>alert('evil+java+script+here')</script>
to the comments field.