Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12823
HistoryMay 26, 2006 - 12:00 a.m.

GuestbookXL 1.3

2006-05-2600:00:00
vulners.com
20
JSON

GuestbookXL 1.3
Homepage:
http://phpscripts.byethost12.com/guestbook.php

Description:
This simple guestbook makes it possible to store messages from users. It stores the name, Email address
(when given) as a mailto link and the message itself. It has 30 smileys at this moment, but other smileys are
easilly added to this collection. It uses a simple CSS stylesheet which is easily modified to your own needs.
It renders a valid HTML 4.01 STRICT guestbook with valid CSS2 Latest change 1: advanced linebreaking on long
words Latest change 2: advanced smiley code breaking Latest change 3: no scripts (PHP or Javascript) can be
posted in guestbook by visitor.

Effected files:
guestwrite.php
guestbook.php

Exploits & Vulns:
This script may say it doesnt allow php or javascript, however image tags amongst others areallowed. The
input forms on this guestbook don't sanatize user input correctly before generating it dynamically.

Example:
Put <IMG SRC=javascript:alert(&quot;XSS&quot;)> in as your comment

JSON