what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ag-xss.txt

ag-xss.txt
Posted May 8, 2007
Authored by Jesper Jurcenoks | Site netvigilance.com

Advanced Guestbook version 2.4.2 is prone to cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2007-0605
SHA-256 | 6bdfc9777ed4da0bafb99d979cdc57b15facfac3c3b35ec85cbd98622842895d

ag-xss.txt

Change Mirror Download
netVigilance Security Advisory #12

Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities

Description:
Advanced Guestbook is a PHP-based guestbook script. It includes many useful features such as preview, templates, e-mail notification, picture upload, page spanning , html tags handling, smiles, advanced guestbook codes and language support. The admin script lets you modify, view, and delete messages. Requires PHP4 and MySQL.

External References:
Mitre CVE: CVE-2007-0605
NVD NIST: CVE-2007-0605
OSVDB: 33877

Summary:
Advanced Guestbook is a PHP-based guestbook with admin interface.
Security problems in the product allows attackers to conduct XSS attacks
This vulnerabilities can be exploited only when PHP register_globals is On.
Advisory URL:
http://www.netvigilance.com/advisory0012

Release Date:
05/07/2007

Severity:
Risk: Medium

CVSS Metrics
Access Vector: Remote
Access Complexity: High
Authentication: not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
Impact Bias: Normal
CVSS Base Score: 5.6
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
Vulnerability Impact: Attack
Host Impact: XSS Attack
SecureScout Testcase ID:
Vulnerable Systems:
Advanced Guestbook 2.4.2
Vulnerability Type:
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the target, by sending a specially crafted request to the web-site. The vulnerable web-site is not the target of attack but is used as a tool for the hacker in the attack of the victim.
Vendor Status:
Contact with the Vendor was established but draft of the security advisory wasn't provided because the Vendor stopped responding to our emails on 9 March 2007. There is no official fix at the release of this Security Advisory
Workaround:
Set PHP register_globals to Off.
Example:
XSS Attack Vulnerability 1:
REQUEST:
http://[TARGET]/[guestbook-directory]/picture.php?size[0]=1&size[1]=1&img=1&picture=%22%3E%3Cscript%3Ealert(%22ok%22)%3C/script%3E%3Cimg%20src=%22

REPLY:
Will execute <script>alert(document.cookie)</script>
XSS Attack Vulnerability 2:
The remote attacker can avoid the .htaccess file protection and run any script or view the contents of the templates.
Set in the COOKIES variable lang = "../[name of the script without php extension]" for example "../lib/admin.class"
REQUEST:
http://[TARGET]/[guestbook-directory]/index.php

REPLY:
The Server will execute the script


Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close