[UNIX] Micro Guestbook XSS
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 23 Jul 2006 16:25:00 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Micro Guestbook XSS
------------------------------------------------------------------------
SUMMARY
<http://www.phptoys.com/e107_plugins/content/content.php?content.10>
Micro Guestbook is "a MySQL based guestbook script with a CSS based
attractive interface. It can store the name, date, message, location, web
and email information of the visitor". A cross site scripting
vulnerability in Micro Guestbook allows remote attackers to insert
arbitrary HTML and/or Javascript into the pages returned by the product.
DETAILS
The application is vulnerable to a Remote XSS Bug. The field 'name' and
'comment' are not properly sanitized before being used, so a malicious
people can exploit this vulnerability to inject arbitrary HTML and script
code.
Vulnerable code:
If you look the code in add.php you can see:
[...]
if (isset($_POST['submitBtn'])) {
$name = (isset($_POST['name'])) ? $_POST['name'] : '' ;
$comment = (isset($_POST['comment'])) ? $_POST['comment'] : '' ;
$location = (isset($_POST['location'])) ? $_POST['location'] : ''
;
$website = (isset($_POST['website'])) ? $_POST['website'] : '' ;
$email = (isset($_POST['email'])) ? $_POST['email'] : '' ;
$actDate = date("Y-m-d H:i:s");
//Minimum name and comment length.
if ((strlen($name) > 2) && (strlen($comment) > 5)){
$sql = "INSERT INTO guestbook
(name,text,insertdate,location,web,email) VALUES (";
$sql .=
"'".$name."','".$comment."','".$actDate."','".$location."','".$website."','".$email."')";
$MyDb->f_ExecuteSql($sql);
[...]
And in index.php you will see:
[...]
<div id="name"><?php echo $row['name']; ?></div>
<div id="info">
<div id="infoicons">
<?php
if (strlen($row['web']) > 5) echo '<a
href="http://'.$row['web'].'"><img src="style/www.gif"></a>';
if (strlen($row['email']) > 5) echo '<a
href="mailto:'.$row['email'].'"><img src="style/mail.gif"></a>';
?>
</div>
<div id="infodate"><?php echo $row['insertdate']; ?></div>
</div>
</div>
<div id="base">
<div id="icon"><?php echo $row['location']; ?></div>
<div id="text"><?php echo nl2br($row['text']); ?></div>
[...]
Proof of Concept:
You can put your own HTML or script code in the field name or comment.
Try: <script>alert("XSS")</script>
ADDITIONAL INFORMATION
The information has been provided by <mailto:omnipresent@xxxxxxxx>
omnipresent.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Com MultiBanners File Inclusion (mosConfig_absolute_path)
- Next by Date: [UNIX] Fire-Mouse TopList Cross Site Scripting
- Previous by thread: [UNIX] Com MultiBanners File Inclusion (mosConfig_absolute_path)
- Next by thread: [UNIX] Fire-Mouse TopList Cross Site Scripting
- Index(es):
Relevant Pages
|
|
