|
|
-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
Advisory: hdweGUEST <= 2.1.1 Cross Site Scripting Vulnerabilities=0D
Release Date: 2006/07/18=0D
Last Modified: 2006/07/18=0D
Author: Tamriel [tamriel at gmx dot net]=0D
Application: hdweGUEST 2.1.1=0D
Risk: Low=0D
Vendor Status: contacted | no reply | no patch available=0D
Vendor Site: www.huttenlocher-webdesign.de=0D
=0D
Overview:=0D
=0D
Quote from www.huttenlocher-webdesign.de=0D
=0D
"hwdeGUEST ist ein Gaestebuch geschrieben in PHP. Es bietet dem =0D
Betreiber eine Vielzahl von Moeglichkeiten"=0D
=0D
=0D
Details:=0D
=0D
In the new_entry.php are some possible cross site scripting=0D
vulnerabilities.=0D
=0D
This can be used to insert malicious code that will be executed=0D
on the client's machine.=0D
=0D
All user inputs are not checked by the script, only in this lines=0D
(arround line 250-255)=0D
=0D
...=0D
=0D
$username=trim($username);=0D
$usernachricht=trim($usernachricht);=0D
if($GLOBALS[html_allowed]==0)=0D
{$usernachricht=strip_tags($usernachricht);}=0D
=0D
...=0D
=0D
and the mail input is checked by this function:=0D
(arround line 70-80)=0D
=0D
...=0D
=0D
if(strstr($adresse,"@"))=0D
{=0D
$temp_adresse=explode("@",$adresse);=0D
if(strstr($temp_adresse[1],"."))=0D
{=0D
if(strlen($adresse)<8)=0D
{return false;}=0D
else=0D
{return true;}=0D
}=0D
else=0D
{return false;}=0D
}=0D
=0D
...=0D
=0D
=0D
Proof of Concept:=0D
=0D
Insert HTML/JS Code like "name" into the name input field =0D
on "new entry" page.=0D
=0D
=0D
Solution/Note:=0D
=0D
It is strongly recommended to update your script by yourself.=0D
Use the htmlentities() function and replace some insecure functions=0D
like the checke_email()'s one with proper code.=0D
=0D
Greets:=0D
=0D
Greets fly out to all people at bluegeek.de=0D
=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.4.3=0D
=0D
iD8DBQFEvUFbqBhP+Twks7oRAuMvAJ9DVq0ByFhWguU4iss8V3Z2mzk9KACfTp/u=0D
ZjypE373XsBXJW4HJNURdHc==0D
=Q3xe=0D
-----END PGP SIGNATURE-----