[UNIX] phpGB Cross Site Scripting Bug
From: support@securiteam.comDate: 09/12/02
- Previous message: support@securiteam.com: "[NT] Who Framed Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 12 Sep 2002 13:21:21 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
phpGB Cross Site Scripting Bug
------------------------------------------------------------------------
SUMMARY
phpGB is a PHP/MySQL based guestbook. Unfortunately, the product does not
do any input filtering allowing a remote attacker to insert malicious code
segments into the guestbook entries. This would lead to a
cross-site-scripting attack.
DETAILS
Vulnerable systems:
* phpGB version 1.10 and prior
Immune systems:
* phpGB version 1.20
An attack can insert malicious JavaScript code into the guestbook entry.
When an administrator tries to delete this entry, the script will be
executed. Therefore, the attacker is able to obtain the session id of the
administrator, and then use it to enter to the administrative area without
being requested to authenticate.
Proof-of-concept:
Enter the following guestbookentry:
"delete me <script>alert(document.cookie)</script>"
When an administrator tries to delete this entry, a popup showing his
session id will come up. Of course, it is quite easy to submit this
session id to the attacker's server instead of showing this popup.
Temporary-fix:
Filter all inputs for unwanted code segments like HTML or JavaScript code.
Fix:
phpGB 1.2 filters all inputs, upgrade to it as soon as possible.
Vendor status:
The author has fixed this issue, and recommends that users upgrade to the
latest version.
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@ppp-design.de>
ppp-design.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Who Framed Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
