Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Simple one-file GuestBook 1.0

From: omnipresent () email it
Date: 9 Aug 2006 13:10:49 -0000
.:. Simple one-file guestbook 1.0 .:.

Date:
-----

August 08, 2006 

Vendor:
-------

http://www.xeroxer.com/index.php?page=3

Description:
------------

This is my simple one-file guestbook.
It's made of one .php file (the script) and one .txt file (the entrystorage file).
It uses no database just a flat textfile.
It is made so it's easy to include in any page.
It has admin login where you can edit and remove entrys.
Demo can be found at: http://php.xeroxer.com/simple_one-file_guestbook/demo/guestbook.php
Any help needed please mail me at: webmaster () xeroxer com

Version:
--------

<= 1.0

Vulnerability(ies) / Exploit(s):
--------------------------------

I malicious people can Bypass Administrator Pannel to delete all of the messages in the GuestBook because there is no 
control
about admin credential.

PoC(s):
-------

An attacker can use this URL via the browser to delete all messages:

http://host/[path]/guestbook.php?id=4


Vendor Status:
--------------

[August 08, 2006] Informed!

Solution:
---------

[August 08, 2006] No solution available from the vendor.

You can edit the source code and control the administratior credential.

Credit:
-------
omnipresent
omnipresent[at]email[dot]it
http://it.security.netsons.org
Previous By Date Next
Previous By Thread Next

Current thread: