| VID |
21802 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Advanced Guestbook, according to its version number, has an User-Agent HTML Injection Vulnerability. Advanced Guestbook is a guestbook program written in PHP. Advanced Guestbook version 2.3.2 and earlier versions are vulnerable to a cross-site scripting attack, caused by improper validation of user-supplied input passed to the 'User-Agent' HTTP header. This vulnerability could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
* Note: This check solely relied on the version number of the Advanced Guestbook installed on the remote web server to assess this vulnerability, so this might be a false positive.
* References:
http://proxy2.de/forum/viewtopic.php?t=4144
http://www.dom-team.net/advisories/Advisory2.txt
* Platforms Affected:
Leif Wright, Advanced Guestbook version 2.3.2 and earlier versions
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of Advanced Guestbook (2.3.3 or later), available from the Free php and perl scripts Web site at http://proxy2.de/scripts.php |
| Related URL |
(CVE) |
| Related URL |
14391 (SecurityFocus) |
| Related URL |
(ISS) |
|
