hi all
--------------------
TITLE:
MPM Guestbook "lng" Parameter Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID:
SA10122

VERIFY ADVISORY:
[Only registered and activated users can see links]

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
MPM Guestbook 1.x

DESCRIPTION:
A vulnerability has been reported in MPM Guestbook, which can be
exploited by malicious people to conduct Cross-Site Scripting
attacks.

The vulnerability is reportedly caused due to missing validation when
handling input supplied to the "lng" parameter. This can be exploited
by including arbitrary HTML or script code, which will cause it to be
executed in a user's browser session when viewed.

Example:
[Only registered and activated users can see links][victim]/guestbook/?number=5&lng=%3Cscript%3Ealert(document.domain);%3C/script%3E

The vulnerability has been reported in version 1.2. Other versions
may also be affected.

SOLUTION:
****** malicious input in a HTTP ***** or firewall with URL filtering
capabilities.

REPORTED BY / CREDITS:
David Sopas Ferreira, systemsecure.org.