[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44D2818E.1020805@gmx.net>
Date: Fri, 04 Aug 2006 00:06:54 +0100
From: Tamriel <tamriel@....net>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtrack@...urityfocus.com
Subject: GaesteChaos <= 0.2 Multiple Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: GaesteChaos <= 0.2 Multiple Vulnerabilities
Release Date: 2006/08/04
Last Modified: 2006/08/03
Author: Tamriel [tamriel at gmx dot net]
Application: GaesteChaos <= 0.2
Risk: Moderate
Vendor Status: not contacted
Vendor Site: www.chaossoft.de
Overview:
Quote from www.chaossoft.de:
"GaesteChaos ist ein Gaestebuch für Ihre Homepage. Es
ist klein und kompakt in PHP geschrieben und benutzt
mySQL, um die Daten abzuspeichern."
Details:
1) In the eintragen.php are some possible cross site scripting
vulnerabilities.
This can be used to insert malicious code that will be executed
on the client's machine.
The input fields "gastname" and "gastwohnort" will be not checked
by this script.
2) SQL Injection Vulnerabilities in eintragen.php
(arround line 35-45)
...
mysql_db_query($database, "INSERT INTO $tabellekommentar SET
eintragid = '$komwelches', name = '$gastname',email = '$gastemail',
wohnort = '$gastwohnort', datum ='$timestamp', ip = '$tempip',
host = '$hosti', homepage = '$gasthomepage', eintrag =
'$gasteintrag',
geschlecht = '$geschlechti'");
...
Solution:
Take a view on PHP's htmlentities and mysql_real_escape_string
functions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
iD8DBQFE0oGOqBhP+Twks7oRAhonAKCIcumXeAc03GGhF4gKdgLH/efX1gCgk+5x
BqnmUiRb5A5fGgcOggVjQnQ=
=sMQh
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists