Multiple XSS in MCG GuestBook

Summary

Vulnerability
Multiple XSS in MCG GuestBook
Discovered
2010.11.12
Last Update
n/a n/a
ID
EV0144
CVE
CVE-2010-4358
Risk Level
low
Type
Cross Site Scripting
Status
Unpatched. Vendor notified. No reply from developer(s)
Vendor
Mrcgiguy (http://www.mrcgiguy.com/)
Vulnerable Software
MCG GuestBook
Version
1.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Cross Site Scripting found in MCG GuestBook script.

Multiple XSS in MCG GuestBook
All vulnerabilities found in gb.cgi script. It doesn't have proper XSS sanitation filters.

XSS vulnerable parameters:

  • name
  • email
  • website
  • message

All these parameters are not sanitized. This can be used to insert any html or script code. Admin panel is vulnerable also.

PoC/Exploit

XSS poc code
All form parameters dont pass any XSS sanitation filters.

XSS Examples.

Parameter "name": <script>alert('XSS Vuln')</script>

Parameter "email": "<script>alert('Vulnerable')</script>

Parameter "website": "<script>alert('Vulnerable')</script>

Parameter "message": <script>alert('XSS Vuln')</script>

Solution.

Solution for "Multiple XSS in MCG GuestBook" is not available. Check Mrcgiguy website for updates.

Order Source Code Analysis

Protect your website by source code review of your website or web application made by eVuln team.The order will be done by specialists in website security.

Website Monitoring

Daily malware scanning. Allows to receive alerts about security problems in your website.
Details >>

Malicious redirects detected?

eVuln team will eliminate the reason, clean your website and monitor it.
Details >>

Website blacklisted?

eVuln team will clean your website, discover and fix security holes, remove from blacklists.
Details >>