|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%=0D
%% =0D
%% =0D
%% Discovered by: GTADarkDude=0D
%% Disconvered on: 10 December 2008=0D
%% Name: Max's Guestbook=0D
%% Version: 1.0=0D
%% URL: http://www.phpf1.com/product/php-guestbook-script.html=0D
%% URL2: http://www.hotscripts.com/Detailed/78571.html=0D
%% Google Search: intitle:"Max's Guestbook" powered-by-PHP-F1=0D
%% =0D
%% =0D
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%=0D
=0D
=0D
*** File ***=0D
=0D
maxGuestbook.class=0D
=0D
=0D
*** Vulnerable Code ***=0D
=0D
function insertMessage(){=0D
$name = isset($_POST['name']) ? $_POST['name'] : 'Anonymous';=0D
$email = isset($_POST['email']) ? $_POST['email'] : '';=0D
$submitDate = date($this->dateFormat);=0D
$content = isset($_POST['message']) ? $_POST['message'] : '';=0D
//(...)=0D
$f = fopen($this->messageDir.DIRECTORY_SEPARATOR.$filename.".txt","w+"); =0D
fwrite($f,$name."\n");=0D
fwrite($f,$email."\n");=0D
fwrite($f,$submitDate."\n");=0D
fwrite($f,$content."\n");=0D
fclose($f);=0D
}=0D
=0D
*** Exploit ***=0D
=0D
$_POST['name'], $_POST['email'] AND $_POST['message'] are each not filtered whatsoever. =0D
Not when inserted [insertMessage()], nor when displayed [displayGuestbook($page)] -> XSS!=0D
=0D
POST DATA: name=; message=qwertyuiop=0D
=0D
=0D
*** Solution ***=0D
=0D
Easy, simply filter all the $_POST and $_GET variables, for example by using htmlentities($var,ENT_QUOTES)