TUCoPS :: Web :: Guestbooks :: b06-4167.htm

Simple one-file GuestBook 1.0
Simple one-file GuestBook 1.0
Simple one-file GuestBook 1.0


.:. Simple one-file guestbook 1.0 .:.=0D
=0D
Date:=0D
-----=0D
=0D
August 08, 2006 =0D
=0D
Vendor:=0D
-------=0D
=0D
http://www.xeroxer.com/index.php?page=3=0D 
=0D
Description:=0D
------------=0D
=0D
This is my simple one-file guestbook.=0D
It's made of one .php file (the script) and one .txt file (the entrystorage file).=0D
It uses no database just a flat textfile.=0D
It is made so it's easy to include in any page.=0D
It has admin login where you can edit and remove entrys.=0D
Demo can be found at: http://php.xeroxer.com/simple_one-file_guestbook/demo/guestbook.php=0D 
Any help needed please mail me at: webmaster@xeroxer.com=0D 
=0D
Version:=0D
--------=0D
=0D
<= 1.0=0D
=0D
Vulnerability(ies) / Exploit(s):=0D
--------------------------------=0D
=0D
I malicious people can Bypass Administrator Pannel to delete all of the messages in the GuestBook because there is no control=0D
about admin credential.=0D
=0D
PoC(s):=0D
-------=0D
=0D
An attacker can use this URL via the browser to delete all messages:=0D
=0D
http://host/[path]/guestbook.php?id=4=0D 
=0D
=0D
Vendor Status:=0D
--------------=0D
=0D
[August 08, 2006] Informed!=0D
=0D
Solution:=0D
---------=0D
=0D
[August 08, 2006] No solution available from the vendor.=0D
=0D
You can edit the source code and control the administratior credential.=0D
=0D
Credit:=0D
-------=0D
omnipresent=0D
omnipresent[at]email[dot]it=0D
http://it.security.netsons.org=0D 
=0D
=0D
=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH