Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Guestbooks :: a6144.htm

Ocean12 ASP Guestbook script injection
14th Apr 2003 [SBWID-6144]

	Ocean12 ASP Guestbook script injection


	Ocean12 ASP Guestbook Manager v1.00.


	In Black Tigerz Research Group Advisory []:
	Written entirely in ASP and VBScript this  is  a  completely  web-based,
	easy to install, ASP Guestbook Program. It  stores  data  in  an  Access
	2000 database and is configured 100%  through  the  web  browser,  which
	means an easy installation process.
	add.asp neglects filtering user input allowing for script  injection  to
	the guestbook via "Name", "E-Mail" and "Massage"  fields.  The  injected
	script will be executed in anyones browser who visits the guestbook.
	An attaker may  download  MS  Acces  database  to  gain  administrator's
	password,    which    is    not    encrypted    at     all.     Example:



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH