Advisory #5 Title: SimpBook "message" Remote Cross-Site Scripting Vulnerability
Vendor Url: http://codegrrl.com/scripts/simpbook/
Affected Software: SimpBook
We Are: olimpus klan team
An input validation vulnerability in SimpBook has been reported, which can be exploited
by remote users to conduct cross-site scripting attacks.
User-supplied input passed to the "message" field isn't sanitised before being stored in
the guestbook. This can be exploited to execute arbitrary script code in the security context
of an affected website, as a result the code will be able to access any of the target user's
cookies, access data recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user.
Successful exploitation requires that "html_enable" is set to "on" in "config.php".
This is set to"on" in the default installation.
Set "html_enable" to "off" in " config.php" or edit the source code to ensure that input is properly sanitised.
SimpBook version 1.0. Other versions may also be affected.
greetz: lady fire, fraude, xoxo, El_Mesias