[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Law11-OE13Kg4dBd8lf00015cb8@hotmail.com>
Date: Mon, 30 Jun 2003 09:56:03 -0700
From: "morning_wood" <se_cur_ity@...mail.com>
To: <vulnwatch@...nwatch.org>, <full-disclosure@...ts.netsys.com>,
<bugtraq@...urityfocus.com>
Subject: Megabook 2.0 -XSS & UA execution
------------------------------------------------------------------
- EXPL-A-2003-011 exploitlabs.com Advisory 011
------------------------------------------------------------------
-= MegaBook =-
exploitlabs.com
June 29, 2003
Vunerability(s):
----------------
1. XSS and Unchecked Input Length
2. default admin password
3. XSS via UA
4. Non secure on NT
5. Undocumented attack vectors
Product:
--------
megabook guestbook
http://www.militerry.com/megabook/
Description of product:
-----------------------
"Megabook is an online guestbook that allows users that come to your
site to leave a message. These messages can also contain their e-mail
addresses, websites.""everyone will be able to view the messages left
by past users" ...and whatever XSS they care to leave
from thier FAQ..
"Q: Will Megabook work on Windows NT servers?
A: Megabook was only tested on UNIX-based servers.
There is a possibility that it could work but from
other people testing it seems that it won't."
dunno who they use to test but it works fine on NT ( heck i'll beta )
Note: this is a very popular scrript, found easly by google: gbook.db
all tests were run in a default state per the instalation instructions
and
confirmed in the wild.
VUNERABILITY / EXPLOIT
======================
where to start...
1. XSS is executeable via the login field in admin.cgi and carries no
length limit
http://[test-ur]/megabook/admin.cgi
2. Default password is "megabook"
http://www.militerry.com/megabook/files/20/setup.db ( note:
meJyatGfwfBXQ = megabook )
the first two characters are always the correct character and sequence
3. User Agent XSS vulnerability in gbook.db
contaminating the UA with XSS causes the script become readable /
executable on guestbook viewing
there are many more issues in this very popular script... I lost
track.
4. Despite the vendor saying the script does not work on NT, it does
with perl installed,
but this configuration is not desired as all files become www
readable.
( gbook.db contains email and ip addresses )
( setup.db contains the not great hashed password and admin info )
5. preview.txt , missing.txt and signgbook.cgi (sic) provide posting
function ( not documented )
--------- snip of the cgi -------------
chmod(0666, "setup.db");
open (SETUP, "setup.db");
@setup = <SETUP>;
close(SETUP);
chmod(0000, "setup.db");
-------- end snip--------------------
Local:
------
not realy
Remote:
-------
real bad
Vendor Fix:
-----------
No fix on 0day
Vendor Contact:
---------------
megabook@...iterry.com
Concurrent with this advisory
Credits:
--------
Donnie Werner
http://exploitlabs.com
http://frame4.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists