Vendor: AllWebscripts
Product: MySQLguest
URL: http://www.allwebscripts.com

Product:
MySQLguest by Allwebscripts is a guestbook script that uses MySQL to
store messages.

Vulnerablitity:
Allwebscripts' MySQLguest is vulnerable to an HTML injection
vulnerability that is exposed via the entry submitting form. Fields in
the form are not adequately sanitized of HTML and script code.

Danger:
This may permit execution of hostile script code when a user views
pages that include the injected code.

Exploit:
On AWSguest.php one needs to fill in "Name", "Email", "Homepage" and
"Comments". The fields in this form are not sanitized so one can fill
in HTML, PHP and Javascript tags.

Exploit Example:
E-mail:       <?php echo <p>Hello World</p>
Homepage: <script language=javascript>alert ("Messagebox")
Comments: <IFRAME SRC=www.computerknights.org>

Credit:
BliZZard 

Friends:
http://www.computerknights.org
http://hackerslegion.com