 Philip Chinery's Guestbook 1.1 (maybee older versions?)


Notified Vendor:

Affected Systems:
 Webservers that run "Philip Chinery's Guestbook 1.1"

Found by:
 Markus Arndt<[EMAIL PROTECTED]>

Short Description:
 Philip Chinery's Guestbook 1.1 fails to filter out JScript/HTML (CrossSiteScripting)

This nice lil' guestbook let's the owner choose to filter out Jscript- and/or 
Let's see the start of it's sub where it saves an entry:

---code starts---

sub SaveData
    if($kill_html == 1) {
    $Text =~ s/<([^>]|\n)*>//g;
    if($kill_html == 2) {
    $Text =~ s/</&lt;/g;
    $Text =~ s/>/&gt;/g;
    if ($kill_java) {
        $Text =~ s/<!--(.|\n)*-->//g;
    $Text       =~ s/\n/&nbsp;<br>/g;
    $Text       =~ tr/|/ /;
    $Text       =~ s/\t/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/g;
    $Text               =~ s/\cM//g;

---code ends---

That's all it filters out.. As we can see it does only filter the comment itself a 
user wrote!
For example the fields "Name", "EMail" or "Homepage" are NOT checked!

So let's build an url to exploit this..

http://[target]/cgi-bin/<script>alert("gotcha!");</script>&[EMAIL PROTECTED]&Text=css%20example

This would post a message that would display an alertbox on a visiotrs screen
when accessing the gb..

As I noticed the guestbook logs ipadresses but doesn't prevent spam.
It also automaticly redirects posters back to the mainguestbook-page.
That makes it very easy to post entrys that e.g. force visitors to spam the guestbook 
(really anoying).

Sorry for bad english, hope you can understand what i'm talkin' about. ;)

100 MB und noch mehr gute Gründe! Jetzt anmelden und profitieren. Da ist mehr 
für Sie drin unter

Reply via email to