lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 26 Nov 2003 20:08:26 -0500
From: "BrainRawt" <>
To: "bugtraq" <>
Subject: RNN's Guestbook 1.2 Multiple Vulnerabilities

 RNN's Guestbook 1.2 Multiple Vulnerabilies Discovered by
 Chris Rahm (aka: BrainRawt) (brainrawt at

 Vulnerabilities: Remote Command Execution
                  Administrative Access
                  Information Disclosure (Reading of Files)
                  Arbitrary HTML Insertion/Script Injection
                  Plain Text Administrative Password

          Remote: Yes
           Local: Yes
            Risk: High

      Vulnerable: Guestbook 1.2

 About Guestbook
 Guestbook is an easily customizable CGI script that allows
 visitors to post messages for others to read.

 Guestbook 1.2 can be downloaded at the following address.

 Vendor Contact
 10-11-03 - Sent an email to webmaster at 
            "ATT: Mike Reed (author)"
            (No Reply)

 10-12-03 - Sent an email to Mike Reed at mike at
            (No Reply)
 10-16-03 - Sent another email to mike at
            (No Reply)

 10-19-03 - Sent email to (Mike's other email) 
            zmlr15 at
            (Failed Recipient)

 10-20-03 - Posted a msg on the msgboard.
            (No Response Yet)

 10-20-03 - Called Mike via phone. 
            (No Answer)

 10-25-03 - Sent an email to another one of Mike's addresses.
            reed2323 at

 10-26-03 - Recieved an email from Mike and replied with a
            a copy of this advisory.

 11-26-03 - No word from author since he had received a copy 
            of this advisory.  Releasing information to bugtraq.

 Administrative Access Vulnerabilities
 If an attacker was to visit ~/gbadmin.cgi, he/she would be 
 prompted for a password.  But if that same attacker was to 
 go directly to the QUERY_STRING and fill in the values for 
 "action", he/she could have total control over the guestbook 
 without the need of any authentication.


 1. ~/gbadmin.cgi?action=change_adminpass - Change password 

 2. ~/gbadmin.cgi?action=delete_guests - Delete ALL posts on the guestbook.

 3. ~/gbadmin.cgi?action=setup - Change setup information for guestbook.

 4. ~/gbadmin.cgi?action=colors - Modify the look and feel of the guestbook

 5. ~/gbadmin.cgi?action=change_automail - Change emailing information

 Information Disclosure Vulnerability (Reading of Files)
 By taking advantage of the Administrative Access Vulnerabilites, an
 attacker could visit ~/gbadmin.cgi?action=setup and change the
 "guestbook entry file" path to point towards any file (EX: /etc/passwd)
 on the system readable by the account inwhich the httpd is running. 
 After making this change, the attacker would view guestbook.cgi not 
 to read POSTs, but to read the contents of the file above.

 Remote Command Execution
 Also by taking advantage of the Administrative Access Vulnerability,
 instead of an attacker changing the guestbook entry file path to 
 something such as /etc/password to read that files contents, an
 attacker can insert /path/file;<cmd> <args>| resulting in the
 execution of the cmd at the end of /path/file.

 EXAMPLE: /etc/passwd;touch /tmp/hacked|

 Arbitrary HTML Insertion / Script Injection Vulnerabilities
 Due to improper filtering, all the scalars below allow the insertion 
 of HTML tags, making guestbook.cgi vulnerable to script injection.

 Even though the gbadmin.cgi offers the option to not allow HTML tags 
 in the $comment field, HTML tags are still accepted.

 sub process_input {
 # process variables
 $name = "$in{'name'}";
 $email = "$in{'email'}";
 $refer = "$in{'refer'}";
 $msn = "$in{'msn'}";
 $aol = "$in{'aol'}";
 $guest_site = "$in{'guest_site'}";
 $comment = "$in{'comment'}";
 $ip = "$in{'ip'}";

 Plain Text Administrative Password
 The administrative password can be found in the file
 also found in the same directory as the rest of the guestbook.
 Combine the permissions recommended by the author in "readme.txt"
 and the plain text password, any "local" users can view the plain
 text password found in


Powered by blists - more mailing lists