Multiple XSS in MCG GuestBook

New eVuln Advisory:

Multiple XSS in MCG GuestBook

Summary: http://evuln.com/vulns/144/summary.html

Details: http://evuln.com/vulns/144/description.html

-----------Summary-----------

eVuln ID: EV0144

Software: MCG GuestBook

Vendor: Mrcgiguy

Version: 1.0

Critical Level: low

Type: Cross Site Scripting

Status: Unpatched. No reply from developer(s)

PoC: Available

Solution: Not available

Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )

--------Description--------

All vulnerabilities found in gb.cgi script. It doesn't have proper XSS sanitation filters.

XSS vulnerable parameters:

* name

* email

* website

* message

All these parameters are not sanitized.

This can be used to insert any html or script code.

Admin panel is vulnerable also

--------PoC/Exploit--------

PoC code is available at:

http://evuln.com/vulns/144/exploit.html

---------Solution----------

Not available

----------Credit-----------

Vulnerability discovered by Aliaksandr Hartsuyeu

http://evuln.com/tool/php-security.html - online php source analyzer.