-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: TP-Book <= 1.00 Cross Site Scripting Vulnerabilities Release Date: 2006/07/25 Last Modified: 2006/07/25 Author: Tamriel [tamriel at gmx dot net] Application: TP-Book <= 1.00 Risk: Low Vendor Status: not contacted Vendor Site: tobias.kloy.googlepages.com Overview: Quote from tobias.kloy.googlepages.com: "Das Gaestebuch verfuegt über folgende Features: - Anpassbare Templates - Viele Systeme, um Dauerspammer auszuschließen - Admincontrol-Panel - Einfache Installation durch einen Wizard" Details: In your guestbook posts the name will not be checked by the script. Attackers can so perform cross site scripting attacks. Solution: Take a view on PHP's htmlentities function. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFExnoFqBhP+Twks7oRAvnvAJ93lO3W/o+PmtaTKitjw6qVxkXK0gCfR67W af8OIcTNC9Ggkrwlk4QLyHo= =sIc9 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/