MicroGuestBook Remote XSS Attack

Sat, 22 Jul 2006 10:08:22 -0700 

.:. MicroGuestBook Remote XSS Bug .:.


Date:

-----


July 2006, 22


Product:

--------


MicroGuestBook Latest Version


Vendor:

-------


http://www.phptoys.com


Description:

------------


Micro guestbook is a MySQL based guestbook script with a CSS based attractive 
interface. It can store the name, date, 

message, location, web and email information of the visitor.


Exploit(s)/Advisory(ies):

-------------------------


The application is vulnerable to a Remote XSS Bug. The field 'name' and 
'comment' are not properly sanitized before being

used, so a malicious people can exploit this vulnerability to inject arbitrary 
HTML and script code.


If you look the code in add.php you can see:


[...]


if (isset($_POST['submitBtn'])) {

         $name     = (isset($_POST['name'])) ? $_POST['name'] : '' ;

         $comment  = (isset($_POST['comment'])) ? $_POST['comment'] : '' ;

         $location = (isset($_POST['location'])) ? $_POST['location'] : '' ;

         $website  = (isset($_POST['website'])) ? $_POST['website'] : '' ;

         $email    = (isset($_POST['email'])) ? $_POST['email'] : '' ;

         $actDate  = date("Y-m-d H:i:s");

         

         //Minimum name and comment length.

         if ((strlen($name) > 2) && (strlen($comment) > 5)){

             $sql = "INSERT INTO guestbook 
(name,text,insertdate,location,web,email) VALUES (";

             $sql .= 
"'".$name."','".$comment."','".$actDate."','".$location."','".$website."','".$email."')";

             $MyDb->f_ExecuteSql($sql);


[...]


And in index.php you will see:


[...]


 <div id="name"><?php echo $row['name']; ?></div>

            <div id="info">

              <div id="infoicons">

                <?php

                   if (strlen($row['web']) > 5) echo '<a 
href="http://'.$row['web'].'"><img src="style/www.gif"></a>';

                   if (strlen($row['email']) > 5) echo '<a 
href="mailto:'.$row['email'].'"><img src="style/mail.gif"></a>';

                ?>

              </div>

              <div id="infodate"><?php echo $row['insertdate']; ?></div>

            </div>

          </div>

          <div id="base">

            <div id="icon"><?php echo $row['location']; ?></div>

            <div id="text"><?php echo nl2br($row['text']); ?></div>


[...]


PoC(s):

-------


You can put your own HTML or script code in the field name or comment. Try:


<script>alert("XSS")</script>


Vendor Status:

--------------


[July 2006, 22] Vendor contacted!


Patches:

--------


[July 2006, 22] At the moment there is no patch available from the vendor. You 
can take a look at this site if a patch will

be posted up:


http://www.phptoys.com


If you don't wanna wait, edit the source code to ensure  that input is properly 
sanitised.


Credits:

--------


omnipresent

omnipresent[at]email[dot]it

http://it.security.netsons.org

Reply via email to