Techno Dreams GuestBook Remote XSS Exploit

2006-06-01T00:00:00
ID SECURITYVULNS:DOC:12916
Type securityvulns
Reporter Securityvulns
Modified 2006-06-01T00:00:00

Description


      -  Techno Dreams GuestBook Remote XSS Exploit -

-= http://colander.altervista.org/advisory/TDGuestBook.txt =-

  -= Techno Dreams GuestBook Latetest Version =-

Omnipresent May 04, 2006

Vunerability(s):

XSS Exploit

Product:

Techno Dreams GuestBook Latetest Version

Vendor:

http://www.t-dreams.com/

Description of product:

A free ready to use Guest Book ASP script. It uses MS Access with ability to be upgraded into SQL. Now, we've added an Admin Area for the script (not in the demo). Special thanks for Victor Hugo Sosa Esquivel for the Spanish Translation.

Vulnerability / Exploit:

The application is vulnerable to an XSS (Cross-Site Scripting) Attack.

PoC / Proof of Concept:

If the poster post in the field *comments: (after click on Sign Our GuestBook) the follow script

<script>alert("You are vulnerabile to XSS")</script>

When a user go to see the blog he receive the message "You are vulnerabile to XSS".

Vendor Status

Not Informed!

Credits:

omnipresent omnipresent@email.it