Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13631
HistoryJul 26, 2006 - 12:00 a.m.

[Full-disclosure] TP-Book <= 1.00 Cross Site Scripting Vulnerabilities

2006-07-2600:00:00
vulners.com
109

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Advisory: TP-Book <= 1.00 Cross Site Scripting Vulnerabilities

Release Date: 2006/07/25
Last Modified: 2006/07/25
Author: Tamriel [tamriel at gmx dot net]
Application: TP-Book <= 1.00
Risk: Low
Vendor Status: not contacted
Vendor Site: tobias.kloy.googlepages.com

Overview:

Quote from tobias.kloy.googlepages.com:

"Das Gaestebuch verfuegt uber folgende Features:
- Anpassbare Templates
- Viele Systeme, um Dauerspammer auszuschlie?en
- Admincontrol-Panel
- Einfache Installation durch einen Wizard"

Details:

  In your guestbook posts the name will not be checked by the script.
  Attackers can so perform cross site scripting attacks.

Solution:

  Take a view on PHP&#39;s htmlentities function.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFExnoFqBhP+Twks7oRAvnvAJ93lO3W/o+PmtaTKitjw6qVxkXK0gCfR67W
af8OIcTNC9Ggkrwlk4QLyHo=
=sIc9
-----END PGP SIGNATURE-----


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/