[Full-Disclosure] BlackBook - Multiple Vunerabilities

From: morning_wood (se_cur_ity_at_hotmail.com)
Date: 07/13/03

  • Next message: Blue Boar: "Re: [Full-Disclosure] Sintraq - no traffic?"
    To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
    Date: Sat, 12 Jul 2003 17:33:00 -0700
    
    

    ------------------------------------------------------------------
              - EXPL-A-2003-015 exploitlabs.com Advisory 015
    ------------------------------------------------------------------
                                    -= BlackBook =-

    Donnie Werner
    July 11, 2003

    Vunerability(s):
    ----------------
    1. XSS executes JS in PHP remotely
    2. Default and plaintext password
    3. File premission issues
    4. phpinfo.php

    Product:
    --------
    EJ3 BlackBook v1.0 - S.10-VIII-2002
    http://membres.lycos.fr/eejj33/blackbook_en.php
    http://membres.lycos.fr/eejj33/download/blackbook10.zip

    Description of product:
    -----------------------
    "BlackBook is a complete guestbook script with tons of features
    that don't need MySQL to work. Search, compare & if you find
    a guestbook better that BlackBook, use it!! Author: Emilio José
    Jiménez

    Requirements:
    Webspace with PHP4 support.
    TOPo have been developed over a Apache v1.3 + PHP v4.0.6
    platform running in Windows 98 SE and have been fully tested in
    Internet Explorer v5.5"

    ummm.. ok hint: it runs on most anything with php installed

    VUNERABILITY / EXPLOIT
    ======================
    Another very popular "guestbook" type of php script with many flaws...

    1. XSS Vunerabilities lay in almost every field EXCEPT the message
    body.
    as a note HTML is defined as "off" by default in sign.php

    "<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie
    );</SCRIPT>"

    the JS code is rendered / executed in the the users browser upon
    trivial visit to
     http://[host]/blackbook/index.php

    2. Default user / password is "admin / pass" and stored plaintext in
    "config.php"

    3. posts are stored in /blackbook/data/data.dat which is not protected
    by default
    information includes user / ip info and message info. the setup
    appears to set
    this perm, but it does not. setting up on a NT box completly makes the
    user belive
    it is setting perms 666, 777 etc.. ( umm.. this aint your fathers
    *nix )

    4. phpinfo.php , lets help remote enumeration some huh?
    ref: http://security.opennet.ru/base/exploits/1054831094_2217.txt.html

    Local:
    ------
    yes, cleartext in config.php

    Remote:
    -------
    yup we got XSS and stuff via remote

    Vendor Fix:
    -----------
    There is no fix on 0day

    Vendor Contact:
    ---------------
    Concurrent with this advisory
    ej3@myrealbox.com

    Credits:
    --------

    Donnie Werner
    morning_wood@exploitlabs.com
    http://exploitlabs.com

    Original advisory may be found at
    http://exploitlabs.com/files/advisories/EXPL-A-2003-015-blackbook.txt
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Blue Boar: "Re: [Full-Disclosure] Sintraq - no traffic?"

    Relevant Pages