MyGuestbook 1.0 - Script Injection

EDB-ID:

21433




Platform:

CGI

Date:

2002-04-30


source: https://www.securityfocus.com/bid/4651/info

MyGuestbook is freely available guestbook software. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

MyGuestbook does not adequately filter script code from various fields. This may enable an attacker to inject script code which will be executed in the web client of an arbitrary user who views the guestbook.

Attackers may potentially exploit this issue to hijack web content or to steal cookie-based authentication credentials. 

Sign up and post using the "name"
<script>alert('evil+java+script+here')</script>

or

When posting comments just insert the
<script>alert('evil+java+script+here')</script>
to the comments field.