--------------------------------------------------------
realGuestbook_V5 Script and SQLInjection Vulnerability |
  Discovered by Rubén Ventura Piña (Trew)              |
            ICEnetX Team http://icenetx.net            |
http://trew.icenetx.net	   trew.revolution@gmail.com   |
--------------------------------------------------------

Date: 17 march 2007
Vendor URL: http://realscripts.de
Risk: Medium
Status: Unpatched

## Vulnerability ##

realGuestbook_V5 is a German Guestbook system. Some vulnerabilities in realGuestbook_V5 can be exploited by malicious people to conduct SQL injection or cross-site scripting attacks.

Input passed to the "name", "email", "homepage" and "text" parameters in save_entry.php is not properly santised before SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL Code.

Input passed to the "email" and "homepage" parameteres in save_entry.php is not properly santised. This can be exploited to conduct persistent XSS attacks.

## How to fix ##

Use anther product.

-----
"Maybe you can't break the system, but you can always hack it."
	http://trew.icenetx.net		trew.revolution@gmail.com