TUCoPS :: Web :: Guestbooks

TUCoPS :: Web :: Guestbooks :: b06-3478.htm
PBL Guestbook <= 1.32 XSS & SQL Querys Vulnerabilities

PBL Guestbook <= 1.32 XSS & SQL Querys Vulnerabilities PBL Guestbook <= 1.32 XSS & SQL Querys Vulnerabilities


/*=0D
--------------------------------------------------------=0D
[N]eo [S]ecurity [T]eam [NST]? - Advisory #23 - 07/07/06=0D
--------------------------------------------------------=0D
Program: PBL Guestbook=0D
Homepage: www.pixelatedbylev.com=0D 
Vulnerable Versions: 1.32 and lower.=0D
Risk: High!=0D
Impact: Critical Risk=0D
=0D
-==PBL Guestbook <= 1.32 XSS & SQL Querys Vulnerabilities==-=0D
---------------------------------------------------------=0D
=0D
- Description=0D
---------------------------------------------------------=0D
PBL Guestbook fully functional guestbook loaded with tons of features and packed for premium optimization and performance.=0D
=0D
- Tested=0D
---------------------------------------------------------=0D
PBL Homepage & other sites=0D
=0D
- Explotation=0D
---------------------------------------------------------=0D
=0D
1)=0D
=0D
Vulnerable code:=0D
=0D
=0D
==[ pblguestbook.php 164-183 ]===========================0D
[...]=0D
if ($id){=0D
foreach ($_POST as $name => $value)=0D
	{=0D
	$_POST["$name"] = str_replace("\n","
",$value);=0D
	 }=0D
foreach ($_POST as $name => $value)=0D
	{=0D
	$_POST["$name"] = str_replace("\t","",$value);=0D
	}=0D
foreach ($_POST as $name => $value)=0D
	{=0D
	$_POST["$name"] = str_replace("\r","",$value);=0D
	}=0D
foreach ($_POST as $name => $value)=0D
	{=0D
	$_POST["$name"] = str_replace('|',"¦",$value);=0D
	}=0D
foreach ($_POST as $name => $value)=0D
	{=0D
	$_POST["$name"] = preg_replace("/\(.*?)\<\/SCRIPT(.*?)\>/i", "SCRIPT BLOCKED", $value);=0D
	}=0D
[...]	=0D
==[ end pblguestbook.php ]===========================0D
=0D
How we can see the script only do some replaces. Only the