TUCoPS :: Web :: Guestbooks

TUCoPS :: Web :: Guestbooks :: b06-3843.htm
Full Path Disclosure xGuestBook v1.02
Full Path Disclosure xGuestBook v1.02 Full Path Disclosure xGuestBook v1.02

###################Dicomdk####################=0D
Full Path Disclosure xGuestBook v1.02        #=0D
                                             #=0D
http://xatrix.xa.funpic.de/xguestbook2/ #=0D 
                                             #=0D
By : X-boy                                   #=0D
##############################################=0D
=0D
http://[HOST]/post.php=0D 
=0D
Test : http://xatrix.xa.funpic.de/xguestbook2/post.php=0D 
=0D
Result :=0D
=========0D
Notice: Undefined index: user in [site]\post.php on line 15=0D
=0D
Notice: Undefined index: mail in [site]\post.php on line 16=0D
=0D
Notice: Undefined index: p in [site]\post.php on line 17=0D
=0D
Notice: Undefined index: url in [site]\post.php on line 19=0D
=0D
##############################################=0D
Patch :                                      #=0D
##############################################=0D
=0D
-Open post.php =0D
-Find : =0D
=0D
             $user  = HTMLSPECIALCHARS(trim($_POST['user']));=0D
             $email = HTMLSPECIALCHARS(trim($_POST['mail']));=0D
             $post  = nl2br(HTMLSPECIALCHARS($_POST['p']));=0D
             $post  = str_replace("  ","  ",$post);=0D
             $url   = HTMLSPECIALCHARS(trim($_POST['url']));=0D
             $date  = date("Y-m-d g:i:s");=0D
			 =0D
-Change to :=0D
=0D
if (isset($_POST['user']) AND isset($_POST['mail']) AND isset($_POST['p']) AND isset($_POST['url']))=0D
{=0D
             $user  = HTMLSPECIALCHARS(trim($_POST['user']));=0D
             $email = HTMLSPECIALCHARS(trim($_POST['mail']));=0D
             $post  = nl2br(HTMLSPECIALCHARS($_POST['p']));=0D
             $post  = str_replace("  ","  ",$post);=0D
             $url   = HTMLSPECIALCHARS(trim($_POST['url']));=0D
             $date  = date("Y-m-d g:i:s");=0D
}=0D
=0D
##############################################=0D
=0D
=0D
=0D
=0D