|
.:. MicroGuestBook Remote XSS Bug .:.=0D
=0D
Date:=0D
-----=0D
=0D
July 2006, 22=0D
=0D
Product:=0D
--------=0D
=0D
MicroGuestBook Latest Version=0D
=0D
Vendor:=0D
-------=0D
=0D
http://www.phptoys.com=0D
=0D
Description:=0D
------------=0D
=0D
Micro guestbook is a MySQL based guestbook script with a CSS based attractive interface. It can store the name, date, =0D
message, location, web and email information of the visitor.=0D
=0D
Exploit(s)/Advisory(ies):=0D
-------------------------=0D
=0D
The application is vulnerable to a Remote XSS Bug. The field 'name' and 'comment' are not properly sanitized before being=0D
used, so a malicious people can exploit this vulnerability to inject arbitrary HTML and script code.=0D
=0D
If you look the code in add.php you can see:=0D
=0D
[...]=0D
=0D
if (isset($_POST['submitBtn'])) {=0D
$name = (isset($_POST['name'])) ? $_POST['name'] : '' ;=0D
$comment = (isset($_POST['comment'])) ? $_POST['comment'] : '' ;=0D
$location = (isset($_POST['location'])) ? $_POST['location'] : '' ;=0D
$website = (isset($_POST['website'])) ? $_POST['website'] : '' ;=0D
$email = (isset($_POST['email'])) ? $_POST['email'] : '' ;=0D
$actDate = date("Y-m-d H:i:s");=0D
=0D
//Minimum name and comment length.=0D
if ((strlen($name) > 2) && (strlen($comment) > 5)){=0D
$sql = "INSERT INTO guestbook (name,text,insertdate,location,web,email) VALUES (";=0D
$sql .= "'".$name."','".$comment."','".$actDate."','".$location."','".$website."','".$email."')";=0D
$MyDb->f_ExecuteSql($sql);=0D
=0D
[...]=0D
=0D
And in index.php you will see:=0D
=0D
[...]=0D
=0D
=0D