CVE-2002-2376

E-Guest 1.1 - Cross-Site Scripting via Full Name, Email, Homepage, or Location Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-2376. PoCs published by DownBload.

AI-analyzed exploit summary This exploit demonstrates a server-side include (SSI) injection vulnerability in E-Guest guest book software. The PoC shows how arbitrary commands can be executed by embedding malicious SSI directives in the 'Full Name' field, leading to remote command execution (RCE).

Description

Cross-site scripting (XSS) vulnerability in E-Guest_sign.pl in E-Guest 1.1 allows remote attackers to inject arbitrary SSI directives, web script, and HTML via the (1) full name, (2) email, (3) homepage, and (4) location parameters. NOTE: this issue might overlap CVE-2005-1605.

Exploits (1)

exploitdb WORKING POC VERIFIED

by DownBload · textremotelinux

https://www.exploit-db.com/exploits/21586

View Code ZIP pw:eip

This exploit demonstrates a server-side include (SSI) injection vulnerability in E-Guest guest book software. The PoC shows how arbitrary commands can be executed by embedding malicious SSI directives in the 'Full Name' field, leading to remote command execution (RCE).

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: E-Guest guest book (version not specified)

No auth needed

Prerequisites: E-Guest guest book installed on a Unix/Linux system with SSI enabled

MITRE ATT&CK