TUCoPS :: Web :: Guestbooks :: bt975.txt

TSguestbook Ver. 2.1 Cross-Site Scripting Vulnerability 




ZH2003-26SA (security advisory): TSguestbook Ver. 2.1 Cross-Site Scripting 

Vulnerability 



Published: 31/08/2003



Released: 31/08/2003



Name: TSguestbook (http://www.tsinter.net)



Affected System(s): All versions 



Issue: Remote attackers can insect XSS script



Author: Trash-80 - dpangalos@linuxmail.org





Description



************



Zone-h Security Team has discovered a flaw in TSguestbook Ver. 2.1. 

TSguestbook is an object orientated guestbook. It doesn't require a MySQL 

database.



Details



********



It's possibile to insert XSS script in the message variable.



For example try this:



Name: Zone-h Security Team



Email: test@test.com



ICQ: 11111111



Homepage: http://www.zone-h.org



Message:<script>alert('Zone-H')</script>



Solution



*********



The vendor has been contacted and a patch is not yet produced.



Suggestions



************



Filter the message variable.





Trash-80 - www.zone-h.org operator

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH