Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Dynamic Guestbook V3.0 Cross Site Scripting and Arbitrary Command Execution

Dynamic Guestbook V3.0 Cross Site Scripting and Arbitrary Command Execution

by Nikola Strahija on April 4th, 2002 Dynamic Guestbook V3.0 doesn't check for bad user input (like PHP-Code or Java Scripts). Under certain circumstances it is possible to execute arbitrary commands on the server.


DETAILS

As you can see, in this script which is used to write the user input into a
file (usually gb.data) the input is not
tested for Cross Site Scripting or any malicious characters.
###################### quote source ############################

##### Öffnen der Datei um zu lesen #####
open (GBDB, $in{gbdaten});
@inhalt = ;
close (GBDB);
##### Eintrag an den Anfang des Files schreiben #####
chomp($date);
open (GBDB, ">>$gbdaten") || print "Konnte nicht in $gbdaten schreiben";
print GBDB
"$in{name}:|:$in{mail}:|:$date:|:$ENV{'REMOTE_ADDR'}:|:$in{kommentar}n";
foreach $zeile (@inhalt) {
print GBDB $zeile;
}
close (GBDB);

################### /quote ##########################

IMPACT

Commands can possibly executed with the rights of the current user.
Also, Cross Site Scripting is possible.


EXPLOIT

A proof of concept exploit will be released in an updated Advisory in the
end of April at

http://www.it-checkpoint.net/advisory/7.html



ADDITIONAL INFORMATION
Vendor has been contacted with an Advisory including a proof of concept
exploit.


Bug discovered and published by Florian
Hobelsberger (BlueScreen) from www.IT-Checkpoint.net


--------------------------------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.






Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »