COMMAND

	Ocean12 ASP Guestbook script injection

SYSTEMS AFFECTED

	Ocean12 ASP Guestbook Manager v1.00.

PROBLEM

	In Black Tigerz Research Group Advisory [http://www.blacktigerz.org]:
	
	Written entirely in ASP and VBScript this  is  a  completely  web-based,
	easy to install, ASP Guestbook Program. It  stores  data  in  an  Access
	2000 database and is configured 100%  through  the  web  browser,  which
	means an easy installation process.
	
	add.asp neglects filtering user input allowing for script  injection  to
	the guestbook via "Name", "E-Mail" and "Massage"  fields.  The  injected
	script will be executed in anyones browser who visits the guestbook.
	
	An attaker may  download  MS  Acces  database  to  gain  administrator's
	password,    which    is    not    encrypted    at     all.     Example:
	www.target.com/guestbook/admin/o12guest.mdb
	
	

SOLUTION

	Unknown