episodex guestbook security bypass & html injection

[farhad koosha <farhadkey () yahoo com>]

Vendor URL : http://www.episodex.de

HTML Injection :

"Name" & other fields in "default.asp" are not validated.
Script code will be executed in the user's browser session, when the entry is viewed.

Security Bypass :

It is possible to edit settings without authentication by accessing the scripts "admin.asp"

http://www.bahadorlover.com

3nitroToloen (!)