Emefa Guestbook sign.asp Multiple Field Arbitrary HTML Injection

2005-08-17T10:26:12
ID OSVDB:18848
Type osvdb
Reporter David Sopas Ferreira(smok3f00@gmail.com)
Modified 2005-08-17T10:26:12

Description

Vulnerability Description

Emefa Guestbook contains a flaw that allows arbitrary HTML injection. This flaw exists because the application does not validate name, email, location and message variables upon submission to the 'sign.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Short Description

Emefa Guestbook contains a flaw that allows arbitrary HTML injection. This flaw exists because the application does not validate name, email, location and message variables upon submission to the 'sign.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.emefa.myserver.org/comp/guestview.php Secunia Advisory ID:16489 Other Advisory URL: http://systemsecure.org/ssforum/viewtopic.php?t=91 CVE-2005-2650