[This document is best seen with Font: Verdana Size: 9pt]
XSS Vulnerability in Guest-book script powered by Community Architect
Sites providing web-hosting service powered by Community Architect.
4th April, 2006
Cross Site Scripting (XSS)
Reported to 20m.com (20m.com is one of the sites powered by Community Architect)
20m.com fixed the vulnerability on 10th April, 2006
Many web-hosting sites powered by Community Architect offer free as well as paid services to those who want to host a website on their servers. They offer customized Guest-book input form page (http://www.vulnerablesite.com/fsguest.html), Guest-book page (http://www.vulnerablesite.com/fsguestbook.html) along with ready-made script (http://www.vulnerablesite.com/cgi-bin/guest) to the web-designer designing a website on their servers.
A person visiting the website signs the guest-book by filling up the form in http://www.vulnerablesite.com/fsguest.html. On submission, the inputs are submitted to the script, http://www.vulnerablesite.com/cgi-bin/guest on the server. The script processes the input and updates the page, http://www.vulnerablesite.com/fsguestbook.html to reflect the new message submitted by the user.
For more information, please contact:-
Susam Pal, Infosys Technologies Ltd. Survey No. 210, Manikonda Village Lingampally, Rangareddy District Hyderabad, PIN 500019 India Phone No.: +91-99859521