lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060625070733.29016.qmail@securityfocus.com>
Date: 25 Jun 2006 07:07:33 -0000
From: simo64@...il.com
To: bugtraq@...urityfocus.com
Subject: OpenGuestbook Cross Site Scripting & SQL Injection


Produce     : Open Guestbook 0.5
Site        : http://sourceforge.net/projects/openguestbook
Discovred by: Moroccan Security Team (Simo64)
Greetz to   : And All Friends :)

Details :
=========

[+]Cross Site Scripting
************************

  [-]vulnerable code in header.php on line 5

  [1]  <html>
  [2]
  [3]  <head>
  [4]
  [5]  <title><? echo "$title"; ?></title>
  
   --------------------
   
   Exploit : http://localhost/openguestbook/header.php?title=</title>[XSS]
   
  [-] Solution
  
  edit line 5 on header.php
  
  [5] <title><? echo htmlspecialchars($title); ?></title>
   
   
[+]SQL Injection 
******************

   [-]vulnerable code near lines 23 - 28
   
   [23]  if (empty($offset)) {
   [24]  $offset=0;
   [25]  }
   [26]  
   [27]  // get results
   [28]  $result=mysql_query("SELECT * FROM $tentries ORDER BY ID DESC limit $offset,$limit");

   [-]Exploit : http://localhost/openguestbook/view.php?offset=[SQL]

   [-]Solution :
   
   edit line 23 in view.php 
   
   [23]  if (empty($offset) OR !is_numeric($offset) {
   [24]  $offset=0;

   
[+] Contact :
**************

simo64[at]gmail[dot]com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ