Hiox Guestbook 3.1

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Hiox Guestbook 3.1
From: luny@xxxxxxxxxxxxxxx
Date: 20 May 2006 22:56:34 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hiox Guestbook 3.1

Homepage:
http://hscripts.com/scripts/php/gb.php

Description
A free guest book script that can be added in to any html website with php.

Effected files:

index.php

Exploit:

The input forms for signing the guestbook arent sanatized properally. This 
could lead users to insert malicious code causing XSS.

It should also be noted that this gb uses a flatfile gb.txt to store its info 
in, and has to be chmodded to 777. There isn't method of obscuring email 
addresses in this gb script either.

Prev by Date: Re: Zix Forum <= 1.12 (layid) SQL Injection Vulnerability
Next by Date: [SECURITY] [DSA 1069-1] New Linux kernel 2.4.18 packages fix several vulnerabilities
Previous by thread: [SECURITY] [DSA 1068-1] New fbi packages fix denial of service
Next by thread: [SECURITY] [DSA 1069-1] New Linux kernel 2.4.18 packages fix several vulnerabilities
Index(es):
- Date
- Thread