Big Webmaster Guestbook comment fields cross-site scripting

bwmguestbook-comment-xss (26246) The risk level is classified as MediumMedium Risk

Description:

Big Webmaster Guestbook is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when adding a comment. A remote attacker could exploit this vulnerability using the mail, site, city, state or country fields to execute script in a victim's Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim's cookie-based authentication credentials.


Consequences:

Gain Access

Remedy:

Upgrade to the latest version of Big Webmaster Guestbook (1.03 or later), available from the Big Webmaster Guestbook Web site. See References.

References:

  • Big Webmaster Guestbook Web site: Guestbook Script.
  • Full-Disclosure Mailing List, Thu May 04 2006 - 11:02:11 CDT: bigwebmaster guestbook multiply XSS.
  • BID-17834: Bigwebmaster Guestbook Multiple HTML Injection Vulnerabilities
  • CVE-2006-2231: Multiple cross-site scripting (XSS) vulnerabilities in addguest.cgi in Big Webmaster Guestbook Script 1.02 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) mail, (2) site, (3) city, (4) state, (5) country, and possibly (6) name fields, which are viewed via viewguest.cgi.
  • OSVDB ID: 25257: Big Webmaster Guestbook addguest.cgi Multiple Field XSS
  • SA19971: Big Webmaster Guestbook Script Multiple Script Insertion Vulnerabilities

Platforms Affected:

  • Big Webmaster Guestbook 1.02 and prior

Reported:

May 04, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page