Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Guestbooks :: tb10772.htm

Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities



Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities
Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities



	netVigilance Security Advisory #12
Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities
Description:
Advanced Guestbook is a PHP-based guestbook script. It includes many useful features such as preview, templates, e-mail notification, picture upload, page spanning , html tags handling, smiles, advanced guestbook codes and language support. The admin script lets you modify, view, and delete messages. Requires PHP4 and MySQL.
External References: 
Mitre CVE: CVE-2007-0605
NVD NIST: CVE-2007-0605
OSVDB:  33877 
Summary: 
Advanced Guestbook is a PHP-based guestbook with admin interface.
Security problems in the product allows attackers to conduct XSS attacks 
This vulnerabilities can be exploited only when PHP register_globals is On.
Advisory URL: 
http://www.netvigilance.com/advisory0012 
Release Date:
05/07/2007
Severity:
Risk: Medium
CVSS Metrics
Access Vector: Remote
Access Complexity: High
Authentication: not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial 
Impact Bias: Normal
CVSS Base Score: 5.6
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated 
Vulnerability Impact: Attack
Host Impact: XSS Attack
SecureScout Testcase ID:
Vulnerable Systems:
Advanced Guestbook 2.4.2
Vulnerability Type:
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the target, by sending a specially crafted request to the web-site. The vulnerable web-site is not the target of attack but is used as a tool for the hacker in the attack of the victim.
Vendor Status: 
Contact with the Vendor was established but draft of the security advisory wasn't provided because the Vendor stopped responding to our emails on 9 March 2007. There is no official fix at the release of this Security Advisory
Workaround:
Set PHP register_globals to Off.
Example: 
XSS Attack Vulnerability 1:
REQUEST:
http://[TARGET]/[guestbook-directory]/picture.php?size[0]=1&size[1]=1&img=1&picture=%22%3E%3Cscript%3Ealert(%22ok%22)%3C/script%3E%3Cimg%20src=%22 

REPLY:
Will execute 
XSS Attack Vulnerability 2:
The remote attacker can avoid the .htaccess file protection and run any script or view the contents of the templates.
Set in the COOKIES variable lang = "../[name of the script without php extension]" for example "../lib/admin.class"
REQUEST:
http://[TARGET]/[guestbook-directory]/index.php 

REPLY:
The Server will execute the script


Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com 

=09


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH