14th Apr 2003 [SBWID-6144]
COMMAND
Ocean12 ASP Guestbook script injection
SYSTEMS AFFECTED
Ocean12 ASP Guestbook Manager v1.00.
PROBLEM
In Black Tigerz Research Group Advisory [http://www.blacktigerz.org]:
Written entirely in ASP and VBScript this is a completely web-based,
easy to install, ASP Guestbook Program. It stores data in an Access
2000 database and is configured 100% through the web browser, which
means an easy installation process.
add.asp neglects filtering user input allowing for script injection to
the guestbook via "Name", "E-Mail" and "Massage" fields. The injected
script will be executed in anyones browser who visits the guestbook.
An attaker may download MS Acces database to gain administrator's
password, which is not encrypted at all. Example:
www.target.com/guestbook/admin/o12guest.mdb
SOLUTION
Unknown
The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.
