lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 22 Jul 2006 09:06:26 -0000
From: admin@...orsecurity.de
To: bugtraq@...urityfocus.com
Subject: [MajorSecurity #25] Advanced Guestbook 2.4 for phpBB - Multiple
 XSS and SQL-Injection Vulnerabilities

[MajorSecurity #25] Advanced Guestbook 2.4 for phpBB - Multiple XSS and SQL-Injection Vulnerabilities
----------------------------------------------------------------------------------------

Software: Advanced Guestbook for phpBB

Version: 2.4

Type: Cross site scripting + SQL Injection

Made public: July, 22th 2006 

Author: Dreamy and Kooky

Page: http://www.phpbbhacks.com/viewhack.php?id=966


Credits:
----------------------------------------------
Discovered by: David Vieira-Kurz
http://www.majorsecurity.de

Original Advisory:
----------------------------------------------
http://www.majorsecurity.de/advisory/major_rls25.txt

Affected Products:
----------------------------------------------
Advanced Guestbook for phpBB 2.4

Description:
----------------------------------------------
Advanced Guestbook is a PHP-based guestbook script. 
It includes many useful features such as preview, templates, e-mail notification, picture upload, page spanning , 
html tags handling, smilies, advanced guestbook codes and language support. 
The admin script lets you modify, view, and delete messages. Requires PHP4 and MySQL.

Requirements:
----------------------------------------------
register_globals = On

Vulnerabilities:
----------------------------------------------
XSS:
Input passed directly to the "entry" parameter in "guestbook.php" is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
It works with a script code like this:

>"><script%20%0a%0d>alert(123456789)%3B</script>

SQL Injection:
Input passed directly to the "entry" parameter in "guestbook.php" is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
----------------------------------------------
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags
are not going to be executed. You should also work with the "intval()" php-function to ensure that the input
is numeric. 

Example:
<?php
  $pass = htmlentities($_POST['pass']);
  echo htmlspecialchars("<script");
  $id = intval($_POST['id']);
?>

Set "register_globals" to "Off".

Powered by blists - more mailing lists