TUCoPS :: Web :: Guestbooks :: va2060.htm

Max's Guestbook (XSS) Remote Vulnerability
Max's Guestbook (XSS) Remote Vulnerability
Max's Guestbook (XSS) Remote Vulnerability



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%=0D
%% =0D
%% =0D
%% Discovered by: GTADarkDude=0D
%% Disconvered on: 10 December 2008=0D
%% Name: Max's Guestbook=0D
%% Version: 1.0=0D
%% URL: http://www.phpf1.com/product/php-guestbook-script.html=0D 
%% URL2: http://www.hotscripts.com/Detailed/78571.html=0D 
%% Google Search: intitle:"Max's Guestbook" powered-by-PHP-F1=0D
%% =0D
%% =0D
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%=0D
=0D
=0D
*** File ***=0D
=0D
maxGuestbook.class=0D
=0D
=0D
*** Vulnerable Code ***=0D
=0D
function insertMessage(){=0D
   $name   = isset($_POST['name']) ? $_POST['name'] : 'Anonymous';=0D
   $email  = isset($_POST['email']) ? $_POST['email'] : '';=0D
   $submitDate  = date($this->dateFormat);=0D
   $content = isset($_POST['message']) ? $_POST['message'] : '';=0D
   //(...)=0D
   $f = fopen($this->messageDir.DIRECTORY_SEPARATOR.$filename.".txt","w+");         =0D
   fwrite($f,$name."\n");=0D
   fwrite($f,$email."\n");=0D
   fwrite($f,$submitDate."\n");=0D
   fwrite($f,$content."\n");=0D
   fclose($f);=0D
}=0D
=0D
*** Exploit ***=0D
=0D
$_POST['name'], $_POST['email'] AND $_POST['message'] are each not filtered whatsoever. =0D
Not when inserted [insertMessage()], nor when displayed [displayGuestbook($page)] -> XSS!=0D
=0D
POST DATA: name=; message=qwertyuiop=0D
=0D
=0D
*** Solution ***=0D
=0D
Easy, simply filter all the $_POST and $_GET variables, for example by using htmlentities($var,ENT_QUOTES)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH