Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Guestbooks :: b06-3776.htm

MicroGuestBook Remote XSS Attack



MicroGuestBook Remote XSS Attack
MicroGuestBook Remote XSS Attack



.:. MicroGuestBook Remote XSS Bug .:.=0D
=0D
Date:=0D
-----=0D
=0D
July 2006, 22=0D
=0D
Product:=0D
--------=0D
=0D
MicroGuestBook Latest Version=0D
=0D
Vendor:=0D
-------=0D
=0D
http://www.phptoys.com=0D 
=0D
Description:=0D
------------=0D
=0D
Micro guestbook is a MySQL based guestbook script with a CSS based attractive interface. It can store the name, date, =0D
message, location, web and email information of the visitor.=0D
=0D
Exploit(s)/Advisory(ies):=0D
-------------------------=0D
=0D
The application is vulnerable to a Remote XSS Bug. The field 'name' and 'comment' are not properly sanitized before being=0D
used, so a malicious people can exploit this vulnerability to inject arbitrary HTML and script code.=0D
=0D
If you look the code in add.php you can see:=0D
=0D
[...]=0D
=0D
if (isset($_POST['submitBtn'])) {=0D
         $name     = (isset($_POST['name'])) ? $_POST['name'] : '' ;=0D
         $comment  = (isset($_POST['comment'])) ? $_POST['comment'] : '' ;=0D
         $location = (isset($_POST['location'])) ? $_POST['location'] : '' ;=0D
         $website  = (isset($_POST['website'])) ? $_POST['website'] : '' ;=0D
         $email    = (isset($_POST['email'])) ? $_POST['email'] : '' ;=0D
         $actDate  = date("Y-m-d H:i:s");=0D
         =0D
         //Minimum name and comment length.=0D
         if ((strlen($name) > 2) && (strlen($comment) > 5)){=0D
             $sql = "INSERT INTO guestbook (name,text,insertdate,location,web,email) VALUES (";=0D
             $sql .= "'".$name."','".$comment."','".$actDate."','".$location."','".$website."','".$email."')";=0D
             $MyDb->f_ExecuteSql($sql);=0D
=0D
[...]=0D
=0D
And in index.php you will see:=0D
=0D
[...]=0D
=0D
 
=0D
=0D
=0D 5) echo 'href="http://'.$row['web'].'"> ';=0D">src="style/www.gif">';=0D if (strlen($row['email']) > 5) echo 'href="mailto:'.$row['email'].'"> src="style/mail.gif">';=0D ?>=0D
=0D
=0D
=0D =0D
=0D
=0D
=0D =0D [...]=0D =0D PoC(s):=0D -------=0D =0D You can put your own HTML or script code in the field name or comment. Try:=0D =0D =0D =0D Vendor Status:=0D --------------=0D =0D [July 2006, 22] Vendor contacted!=0D =0D Patches:=0D --------=0D =0D [July 2006, 22] At the moment there is no patch available from the vendor. You can take a look at this site if a patch will=0D be posted up:=0D =0D http://www.phptoys.com=0D =0D If you don't wanna wait, edit the source code to ensure that input is properly sanitised.=0D =0D Credits:=0D --------=0D =0D omnipresent=0D omnipresent[at]email[dot]it=0D http://it.security.netsons.org=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH