9 lines
No EOL
575 B
Text
9 lines
No EOL
575 B
Text
source: http://www.securityfocus.com/bid/6686/info
|
|
|
|
Guestbook does not adequately filter HTML tags from various fields. This may enable an attacker to inject arbitrary script code into pages that are generated by the guestbook.
|
|
|
|
The attacker's script code may be executed in the web client of arbitrary users who view the pages generated by the guestbook, in the security context of the website running the software.
|
|
|
|
The following proof of concept was provided by inserting malicious HTML code into the Title, Name and Comment fields:
|
|
|
|
<script>alert('test')</script> |