###########################################################################

Advisory #5 Title: SimpBook "message" Remote Cross-Site Scripting Vulnerability

Author: 0o_zeus_o0

Contact: [email protected]

Website: Elitemexico.org

Date: 05/01/2006

Risk: High

Vendor Url: http://codegrrl.com/scripts/simpbook/

Affected Software: SimpBook

Non Affected:

We Are: olimpus klan team

#TECHNICAL INFO
#================================================================

#An input validation vulnerability in SimpBook has been reported, which can be exploited

#by remote users to conduct cross-site scripting attacks.

#User-supplied input passed to the "message" field isn't sanitised before being stored in

#the guestbook. This can be exploited to execute arbitrary script code in the security context

#of an affected website, as a result the code will be able to access any of the target user's

#cookies, access data recently submitted by the target user via web form to the site, or take

#actions on the site acting as the target user.

#Successful exploitation requires that "html_enable" is set to "on" in "config.php".

#This is set to"on" in the default installation.

#Solution:

#Set "html_enable" to "off" in " config.php" or edit the source code to ensure that input is properly sanitised.

#VULNERABLE VERSIONS
#================================================================
#SimpBook version 1.0. Other versions may also be affected.

#================================================================
#Contact information
#0o_zeus_o0
#[email protected]
#www.olimpusklan.org
#================================================================
#greetz: lady fire, fraude, xoxo, El_Mesias
##############################################################################