[This document is best seen with Font: Verdana Size: 9pt]
==========XSS Vulnerability in Guest-book script powered by Community Architect
=============Sites providing web-hosting service powered by Community Architect.
======4th April, 2006
============Cross Site Scripting (XSS)
========Reported to 20m.com (20m.com is one of the sites powered by Community Architect)
======20m.com fixed the vulnerability on 10th April, 2006
=============Many web-hosting sites powered by Community Architect offer free as well as paid services to those who want to host a website on their servers. They offer customized Guest-book input form page (http://www.vulnerablesite.com/fsguest.html), Guest-book page (http://www.vulnerablesite.com/fsguestbook.html) along with ready-made script (http://www.vulnerablesite.com/cgi-bin/guest) to the web-designer designing a website on their servers.
A person visiting the website signs the guest-book by filling up the form in http://www.vulnerablesite.com/fsguest.html. On submission, the inputs are submitted to the script, http://www.vulnerablesite.com/cgi-bin/guest on the server. The script processes the input and updates the page, http://www.vulnerablesite.com/fsguestbook.html to reflect the new message submitted by the user.
=============For more information, please contact:-
Infosys Technologies Ltd.
Survey No. 210, Manikonda Village
Lingampally, Rangareddy District
Hyderabad, PIN 500019
Phone No.: +91-99859521