Target:
Philip Chinery's Guestbook 1.1 (maybee older versions?)
Vendor:
http://www.sector7g.de.vu
Notified Vendor:
Sure
Affected Systems:
Webservers that run "Philip Chinery's Guestbook 1.1"
Found by:
Markus Arndt<[EMAIL PROTECTED]>
Short Description:
Philip Chinery's Guestbook 1.1 fails to filter out JScript/HTML (CrossSiteScripting)
This nice lil' guestbook let's the owner choose to filter out Jscript- and/or
HTML-entrys..
Let's see the start of it's sub where it saves an entry:
---code starts---
sub SaveData
{
if($kill_html == 1) {
$Text =~ s/<([^>]|\n)*>//g;
}
if($kill_html == 2) {
$Text =~ s/</</g;
$Text =~ s/>/>/g;
}
if ($kill_java) {
$Text =~ s/<!--(.|\n)*-->//g;
}
$Text =~ s/\n/ <br>/g;
$Text =~ tr/|/ /;
$Text =~ s/\t/ /g;
$Text =~ s/\cM//g;
---code ends---
That's all it filters out.. As we can see it does only filter the comment itself a
user wrote!
For example the fields "Name", "EMail" or "Homepage" are NOT checked!
So let's build an url to exploit this..
http://[target]/cgi-bin/guestbook.pl?action=sign&cwrite=none&Name=<script>alert("gotcha!");</script>&[EMAIL PROTECTED]&Text=css%20example
This would post a message that would display an alertbox on a visiotrs screen
when accessing the gb..
As I noticed the guestbook logs ipadresses but doesn't prevent spam.
It also automaticly redirects posters back to the mainguestbook-page.
That makes it very easy to post entrys that e.g. force visitors to spam the guestbook
(really anoying).
Sorry for bad english, hope you can understand what i'm talkin' about. ;)
Markus Arndt<[EMAIL PROTECTED]>
http://skka.de
______________________________________________________________________________
100 MB und noch mehr gute Gr�nde! Jetzt anmelden und profitieren. Da ist mehr
f�r Sie drin unter http://club.web.de/?mc=021103
