TUCoPS :: Web BBS :: Frequently Exploited :: b06-3772.htm

Advanced Guestbook 2.4 for phpBB - Multiple XSS and SQL-Injection Vulnerabilities
Advanced Guestbook 2.4 for phpBB - Multiple XSS and SQL-Injection Vulnerabilities
Advanced Guestbook 2.4 for phpBB - Multiple XSS and SQL-Injection Vulnerabilities


[MajorSecurity #25] Advanced Guestbook 2.4 for phpBB - Multiple XSS and SQL-Injection Vulnerabilities=0D
----------------------------------------------------------------------------------------=0D
=0D
Software: Advanced Guestbook for phpBB=0D
=0D
Version: 2.4=0D
=0D
Type: Cross site scripting + SQL Injection=0D
=0D
Made public: July, 22th 2006 =0D
=0D
Author: Dreamy and Kooky=0D
=0D
Page: http://www.phpbbhacks.com/viewhack.php?id=966=0D 
=0D
=0D
Credits:=0D
----------------------------------------------=0D
Discovered by: David Vieira-Kurz=0D
http://www.majorsecurity.de=0D 
=0D
Original Advisory:=0D
----------------------------------------------=0D
http://www.majorsecurity.de/advisory/major_rls25.txt=0D 
=0D
Affected Products:=0D
----------------------------------------------=0D
Advanced Guestbook for phpBB 2.4=0D
=0D
Description:=0D
----------------------------------------------=0D
Advanced Guestbook is a PHP-based guestbook script. =0D
It includes many useful features such as preview, templates, e-mail notification, picture upload, page spanning , =0D
html tags handling, smilies, advanced guestbook codes and language support. =0D
The admin script lets you modify, view, and delete messages. Requires PHP4 and MySQL.=0D
=0D
Requirements:=0D
----------------------------------------------=0D
register_globals = On=0D
=0D
Vulnerabilities:=0D
----------------------------------------------=0D
XSS:=0D
Input passed directly to the "entry" parameter in "guestbook.php" is not properly sanitised before being returned to the user.=0D
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.=0D
It works with a script code like this:=0D
=0D
>">alert(123456789)%3B=0D
=0D
SQL Injection:=0D
Input passed directly to the "entry" parameter in "guestbook.php" is not properly sanitised before being used in a SQL query.=0D
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.=0D
=0D
Solution:=0D
----------------------------------------------=0D
Edit the source code to ensure that input is properly sanitised.=0D
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags=0D
are not going to be executed. You should also work with the "intval()" php-function to ensure that the input=0D
is numeric. =0D
=0D
Example:=0D
=0D
=0D
Set "register_globals" to "Off".

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH