what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

major_rls25.txt

major_rls25.txt
Posted Jul 24, 2006
Authored by David "Aesthetico" Vieira-Kurz | Site majorsecurity.de

Advanced Guestbook version 2.4 for phpBB suffers from SQL injection and cross site scripting flaws.

tags | advisory, xss, sql injection
SHA-256 | b67b1ed7ace90df14b07005282f1a53f186e99a81b64127332f7eafd4710d901

major_rls25.txt

Change Mirror Download
[MajorSecurity #25] Advanced Guestbook 2.4 for phpBB - Multiple XSS and SQL-Injection Vulnerabilities
----------------------------------------------------------------------------------------

Software: Advanced Guestbook for phpBB

Version: 2.4

Type: Cross site scripting + SQL Injection

Made public: July, 22th 2006

Author: Dreamy and Kooky

Page: http://www.phpbbhacks.com/viewhack.php?id=966


Credits:
----------------------------------------------
Discovered by: David Vieira-Kurz
http://www.majorsecurity.de

Original Advisory:
----------------------------------------------
http://www.majorsecurity.de/advisory/major_rls25.txt

Affected Products:
----------------------------------------------
Advanced Guestbook for phpBB 2.4

Description:
----------------------------------------------
Advanced Guestbook is a PHP-based guestbook script.
It includes many useful features such as preview, templates, e-mail notification, picture upload, page spanning ,
html tags handling, smilies, advanced guestbook codes and language support.
The admin script lets you modify, view, and delete messages. Requires PHP4 and MySQL.

Requirements:
----------------------------------------------
register_globals = On

Vulnerabilities:
----------------------------------------------
XSS:
Input passed directly to the "entry" parameter in "guestbook.php" is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
It works with a script code like this:

>"><script%20%0a%0d>alert(123456789)%3B</script>

SQL Injection:
Input passed directly to the "entry" parameter in "guestbook.php" is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
----------------------------------------------
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags
are not going to be executed. You should also work with the "intval()" php-function to ensure that the input
is numeric.

Example:
<?php
$pass = htmlentities($_POST['pass']);
echo htmlspecialchars("<script");
$id = intval($_POST['id']);
?>

Set "register_globals" to "Off".
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close