Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Guestbooks :: a6161.htm

FipsGuestbook script injection



16th Apr 2003 [SBWID-6161]
COMMAND

	FipsGuestbook script injection

SYSTEMS AFFECTED

	Version 1.12.7

PROBLEM

	Black  Tigerz  Research  Group  reported  about  FipsGuestbook.  Written
	entirely in ASP and VBScript, easy  to  install  ASP  guestbook  manager
	with web based  administration panel.
	
	Vulnerability:
	
	new_entry.asp  neglects  filtering  user  input  allowing   for   script
	injection to the guestbook via "Name" field. The  injected  script  will
	be executed in anyones browser who visits the guestbook.

SOLUTION

	??


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH