PBL Guestbook v1.31 - XSS - CXSecurity.com

PBL Guestbook v1.31 - XSS

2006-06-14 / 2006-06-15

Credit: luny youfucktard com

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2006-2975

CWE: CWE-79

CVSS Base Score: 2.6/10

Impact Subscore: 2.9/10

Exploitability Subscore: 4.9/10

Exploit range: Remote

Attack complexity: High

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

PBLGuestbook v1.31
Homepage:
http://www.pixelatedbylev.com/
Effected files:
input boxes of the guestbook.
XSS Vulnerabilities PoC:
I noticed that common tags like <script> are filtered into the words "SCRIPT BLOCKED" in this guestbook, however img tags as well as others go unfiltered in the Name, Email,and Website boxes. In turn, this could cause an XSS
attack to occur. For PoC just enter: <IMG SRC=javascript:alert('XSS')> in any of these boxes.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

PBL Guestbook v1.31 - XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.