4th Apr 2002 [SBWID-5239]
COMMAND
Dynamic Guestbook cross site scripting and arbitrary command execution
vulnerabilities
SYSTEMS AFFECTED
Dynamic Guestbook V3.0
PROBLEM
Florian Hobelsberger (BlueScreen) [http://www.it-checkpoint.net] found
following :
Dynamic Guestbook V3.0 doesn\'t check for bad user input (like PHP-Code
or Java Scripts). Under certain circumstances it is possible to execute
arbitrary commands on the server.
DETAILS
=======
As you can see, in this script which is used to write the user input
into a file (usually gb.data) the input is not tested for Cross Site
Scripting or any malicious characters.
###################### quote source ############################
##### Öffnen der Datei um zu lesen #####
open (GBDB, $in{gbdaten});
@inhalt = <GBDB>;
close (GBDB);
##### Eintrag an den Anfang des Files schreiben #####
chomp($date);
open (GBDB, \">>$gbdaten\") || print \"Konnte nicht in $gbdaten schreiben\";
print GBDB
\"$in{name}:|:$in{mail}:|:$date:|:$ENV{\'REMOTE_ADDR\'}:|:$in{kommentar}\\n\";
foreach $zeile (@inhalt) {
print GBDB $zeile;
}
close (GBDB);
################### /quote ##########################
IMPACT
======
Commands can possibly executed with the rights of the current user.
Also, Cross Site Scripting is possible.
EXPLOIT
=======
A proof of concept exploit will be released in an updated Advisory in
the end of April at
http://www.it-checkpoint.net/advisory/7.html
SOLUTION
Nothing yet.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
