PBL Guestbook v1.31 - XSS - CXSecurity.com

PBL Guestbook v1.31 - XSS

2006-06-14 / 2006-06-15

Credit: luny youfucktard com

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2006-2975

CWE: CWE-79

Ogólna skala CVSS: 2.6/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 4.9/10

Wymagany dostęp: Zdalny

Złożoność ataku: Wysoka

Autoryzacja: Nie wymagana

Wpływ na poufność: Brak

Wpływ na integralność: Częściowy

Wpływ na dostępność: Brak

PBLGuestbook v1.31
Homepage:
http://www.pixelatedbylev.com/
Effected files:
input boxes of the guestbook.
XSS Vulnerabilities PoC:
I noticed that common tags like <script> are filtered into the words "SCRIPT BLOCKED" in this guestbook, however img tags as well as others go unfiltered in the Name, Email,and Website boxes. In turn, this could cause an XSS
attack to occur. For PoC just enter: <IMG SRC=javascript:alert('XSS')> in any of these boxes.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

PBL Guestbook v1.31 - XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.