XSS vulnerabilities in register.asp in Alan Ward Acart

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS vulnerabilities in register.asp in Alan Ward Acart
From: <parag0d@xxxxxxxxxxxx>
Date: 4 Dec 2003 06:11:17 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Vulnerability:  XSS vulnerabilities in register.asp

Description:    The registration form in register.asp does not properly 
sanitize user input.  This means a malicious user can place script into the 
form fields when they register.  The script is stored in the database intact 
and is called and executed when the data is to be displayed.

Exploit:        The exploit was proven with a test script placed into several 
of the form?s fields.
        &lt;script&gt;alert("test")&lt;/script&gt;

Solution:       The developer needs to properly sanitize user input in the 
register.asp form.

Credit: CyberArmy Application and Code Auditing Team
        Parag0d

The developer was contacted regarding this matter, but never gave a reply.

Prev by Date: Re: [ANNOUNCE] glibc heap protection patch
Next by Date: [slackware-security] rsync security update (SSA:2003-337-01)
Previous by thread: [OpenPKG-SA-2003.051] OpenPKG Security Advisory (rsync)
Next by thread: [slackware-security] rsync security update (SSA:2003-337-01)
Index(es):
- Date
- Thread