lostBook Guest Book Multiple Field Script Insertion

2004-07-29T05:36:03
ID OSVDB:8271
Type osvdb
Reporter Joseph Moniz(r3d_5pik3@yahoo.com)
Modified 2004-07-29T05:36:03

Description

Vulnerability Description

lostBook contains a flaw that allows a remote attacker to inject arbitrary Javascript code. This flaw exists because the application does not validate user-supplied input to the 'email' and 'website' fields before being included in guest book entries. This could allow a remote attacker to create a specially crafted URL that would execute arbitrary Javascript code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

lostBook contains a flaw that allows a remote attacker to inject arbitrary Javascript code. This flaw exists because the application does not validate user-supplied input to the 'email' and 'website' fields before being included in guest book entries. This could allow a remote attacker to create a specially crafted URL that would execute arbitrary Javascript code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://verylost.tk Security Tracker: 1010812 Secunia Advisory ID:12190 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0324.html