TUCoPS :: Web :: Guestbooks :: web5239.htm

Dynamic Guestbook cross site scripting and arbitrary command execution vulnerabilities
4th Apr 2002 [SBWID-5239]
COMMAND

	Dynamic Guestbook cross site scripting and arbitrary  command  execution
	vulnerabilities

SYSTEMS AFFECTED

	Dynamic Guestbook V3.0

PROBLEM

	Florian Hobelsberger (BlueScreen)  [http://www.it-checkpoint.net]  found
	following :
	

	Dynamic Guestbook V3.0 doesn\'t check for bad user input (like  PHP-Code
	or Java Scripts). Under certain circumstances it is possible to  execute
	arbitrary commands on the server.
	

	

	 DETAILS

	 =======

	

	As you can see, in this script which is used to  write  the  user  input
	into a file (usually gb.data) the input is not  tested  for  Cross  Site
	Scripting or any malicious characters.
	

	

	###################### quote source ############################

	

	##### Öffnen der Datei um zu lesen #####

	open (GBDB, $in{gbdaten});

	@inhalt = <GBDB>;

	close (GBDB);

	##### Eintrag an den Anfang des Files schreiben #####

	chomp($date);

	open (GBDB, \">>$gbdaten\") || print \"Konnte nicht in $gbdaten schreiben\";

	print GBDB

	\"$in{name}:|:$in{mail}:|:$date:|:$ENV{\'REMOTE_ADDR\'}:|:$in{kommentar}\\n\";

	foreach $zeile (@inhalt) {

	print GBDB $zeile;

	}

	close (GBDB);

	

	################### /quote ##########################

	

	

	

	 IMPACT

	 ======

	

	Commands can possibly executed with the  rights  of  the  current  user.
	Also, Cross Site Scripting is possible.
	

	

	 EXPLOIT

	 =======

	

	A proof of concept exploit will be released in an  updated  Advisory  in
	the end of April at
	

	http://www.it-checkpoint.net/advisory/7.html

	

	

SOLUTION

	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH