exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MicroGuestBook.txt

MicroGuestBook.txt
Posted Jul 24, 2006
Authored by Omnipresent | Site it.security.netsons.org

MicroGuestBook suffers from a cross site scripting flaw.

tags | advisory, xss
SHA-256 | 8ed0dca4560aa0bc7dd5e706737062f3c99e5799c368920947cb7273e945cc24

MicroGuestBook.txt

Change Mirror Download
.:. MicroGuestBook Remote XSS Bug .:.

Date:
-----

July 2006, 22

Product:
--------

MicroGuestBook Latest Version

Vendor:
-------

http://www.phptoys.com

Description:
------------

Micro guestbook is a MySQL based guestbook script with a CSS based attractive interface. It can store the name, date,
message, location, web and email information of the visitor.

Exploit(s)/Advisory(ies):
-------------------------

The application is vulnerable to a Remote XSS Bug. The field 'name' and 'comment' are not properly sanitized before being
used, so a malicious people can exploit this vulnerability to inject arbitrary HTML and script code.

If you look the code in add.php you can see:

[...]

if (isset($_POST['submitBtn'])) {
$name = (isset($_POST['name'])) ? $_POST['name'] : '' ;
$comment = (isset($_POST['comment'])) ? $_POST['comment'] : '' ;
$location = (isset($_POST['location'])) ? $_POST['location'] : '' ;
$website = (isset($_POST['website'])) ? $_POST['website'] : '' ;
$email = (isset($_POST['email'])) ? $_POST['email'] : '' ;
$actDate = date("Y-m-d H:i:s");

//Minimum name and comment length.
if ((strlen($name) > 2) && (strlen($comment) > 5)){
$sql = "INSERT INTO guestbook (name,text,insertdate,location,web,email) VALUES (";
$sql .= "'".$name."','".$comment."','".$actDate."','".$location."','".$website."','".$email."')";
$MyDb->f_ExecuteSql($sql);

[...]

And in index.php you will see:

[...]

<div id="name"><?php echo $row['name']; ?></div>
<div id="info">
<div id="infoicons">
<?php
if (strlen($row['web']) > 5) echo '<a href="http://'.$row['web'].'"><img src="style/www.gif"></a>';
if (strlen($row['email']) > 5) echo '<a href="mailto:'.$row['email'].'"><img src="style/mail.gif"></a>';
?>
</div>
<div id="infodate"><?php echo $row['insertdate']; ?></div>
</div>
</div>
<div id="base">
<div id="icon"><?php echo $row['location']; ?></div>
<div id="text"><?php echo nl2br($row['text']); ?></div>

[...]

PoC(s):
-------

You can put your own HTML or script code in the field name or comment. Try:

<script>alert("XSS")</script>

Vendor Status:
--------------

[July 2006, 22] Vendor contacted!

Patches:
--------

[July 2006, 22] At the moment there is no patch available from the vendor. You can take a look at this site if a patch will
be posted up:

http://www.phptoys.com

If you don't wanna wait, edit the source code to ensure that input is properly sanitised.

Credits:
--------

omnipresent
omnipresent[at]email[dot]it
http://it.security.netsons.org
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close