Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: bt504.txt

Megabook 2.0 -XSS & UA execution

          - EXPL-A-2003-011 Advisory 011
                        -= MegaBook =-
June 29, 2003

1. XSS and Unchecked Input Length
2. default admin password
3. XSS via UA
4. Non secure on NT
5. Undocumented attack vectors
megabook guestbook

Description of product:
"Megabook is an online guestbook that allows users that come to your
site to leave a message. These messages can also contain their e-mail
addresses, websites.""everyone will be able to view the messages left
by past users"  ...and whatever XSS they care to leave

from thier FAQ..

"Q: Will Megabook work on Windows NT servers?
A: Megabook was only tested on UNIX-based servers.
There is a possibility that it could work but from
other people testing it seems that it won't."

dunno who they use to test but it works fine on NT ( heck i'll beta )

Note: this is a very popular scrript, found easly by google: gbook.db
all tests were run in a default state per the instalation instructions
confirmed in the wild.


where to start...

1. XSS is executeable via the login field in admin.cgi and carries no
length limit

2. Default password is "megabook" ( note:
meJyatGfwfBXQ  = megabook )
the first two characters are always the correct character and sequence

3. User Agent XSS vulnerability in gbook.db
contaminating the UA with XSS causes the script become readable /
executable on guestbook viewing

there are many more issues in this very popular script... I lost

4. Despite the vendor saying the script does not work on NT, it does
with perl installed,
but this configuration is not desired as all files become www
( gbook.db contains email and ip addresses )
( setup.db contains the not great hashed password and admin info )

5. preview.txt , missing.txt and signgbook.cgi (sic)  provide posting
function ( not documented )
--------- snip of the cgi -------------
chmod(0666, "setup.db");
open (SETUP, "setup.db");
@setup = <SETUP>;
chmod(0000, "setup.db");
-------- end snip--------------------

not realy

real bad

Vendor Fix:
No fix on 0day

Vendor Contact:
Concurrent with this advisory

Donnie Werner

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH