| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 9 Aug 2006 13:10:49 -0000 From: omnipresent@...il.it To: bugtraq@...urityfocus.com Subject: Simple one-file GuestBook 1.0 .:. Simple one-file guestbook 1.0 .:. Date: ----- August 08, 2006 Vendor: ------- http://www.xeroxer.com/index.php?page=3 Description: ------------ This is my simple one-file guestbook. It's made of one .php file (the script) and one .txt file (the entrystorage file). It uses no database just a flat textfile. It is made so it's easy to include in any page. It has admin login where you can edit and remove entrys. Demo can be found at: http://php.xeroxer.com/simple_one-file_guestbook/demo/guestbook.php Any help needed please mail me at: webmaster@...oxer.com Version: -------- <= 1.0 Vulnerability(ies) / Exploit(s): -------------------------------- I malicious people can Bypass Administrator Pannel to delete all of the messages in the GuestBook because there is no control about admin credential. PoC(s): ------- An attacker can use this URL via the browser to delete all messages: http://host/[path]/guestbook.php?id=4 Vendor Status: -------------- [August 08, 2006] Informed! Solution: --------- [August 08, 2006] No solution available from the vendor. You can edit the source code and control the administratior credential. Credit: ------- omnipresent omnipresent[at]email[dot]it http://it.security.netsons.org
Powered by blists - more mailing lists