Multiple XSS in MCG GuestBook
Summary
- Vulnerability
- Multiple XSS in MCG GuestBook
- Discovered
- 2010.11.12
- Last Update
- n/a n/a
- ID
- EV0144
- CVE
- CVE-2010-4358
- Risk Level
- low
- Type
- Cross Site Scripting
- Status
- Unpatched. Vendor notified. No reply from developer(s)
- Vendor
- Mrcgiguy (http://www.mrcgiguy.com/)
- Vulnerable Software
- MCG GuestBook
- Version
- 1.0
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Cross Site Scripting found in MCG GuestBook script.
- Multiple XSS in MCG GuestBook
- All vulnerabilities found in gb.cgi script. It doesn't have proper XSS sanitation filters.
XSS vulnerable parameters:
- name
- website
- message
All these parameters are not sanitized. This can be used to insert any html or script code. Admin panel is vulnerable also.
PoC/Exploit
- XSS poc code
- All form parameters dont pass any XSS sanitation filters.
XSS Examples.
Parameter "name": <script>alert('XSS Vuln')</script>
Parameter "email": "<script>alert('Vulnerable')</script>
Parameter "website": "<script>alert('Vulnerable')</script>
Parameter "message": <script>alert('XSS Vuln')</script>
Solution.
Solution for "Multiple XSS in MCG GuestBook" is not available. Check Mrcgiguy website for updates.
Order Source Code Analysis
Protect your website by source code review of your website or web application made by eVuln team.The order will be done by specialists in website security.