Philip Chinery's Guestbook Cross-Site Scripting Vulnerability

vendor:

Guestbook

by:

SecurityFocus

7.5

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: Guestbook

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: YES

Related CWE: N/A

CPE: //a:philip_chinery:guestbook:1.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix, Linux, Microsoft Windows

2002

Philip Chinery’s Guestbook Cross-Site Scripting Vulnerability

Philip Chinery's Guestbook does not filter script code from form fields. As a result, it is possible for an attacker to inject script code into pages that are generated by the guestbook. Additionally, script code is not filitered from URL parameters, making the guestbook prone to cross-site scripting attacks.

Mitigation:

Filter user input for malicious code and validate all input received from external sources.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4566/info

Philip Chinery's Guestbook is freely available guestbook software. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

Philip Chinery's Guestbook does not filter script code from form fields. As a result, it is possible for an attacker to inject script code into pages that are generated by the guestbook. Additionally, script code is not filitered from URL parameters, making the guestbook prone to cross-site scripting attacks.

This issue has been reported for Philip Chinery's Guestbook version 1.1. Other versions may also be affected.

http://[target]/cgi-bin/guestbook.pl?action=sign&cwrite=none&Name=<script>alert("gotcha!");</script>&EMail=example@example.com&Text=css%20exam
ple