Description of product:
-----------------------
"BlackBook is a complete guestbook script with tons of features
that don't need MySQL to work. Search, compare & if you find
a guestbook better that BlackBook, use it!! Author: Emilio José
Jiménez
Requirements:
Webspace with PHP4 support.
TOPo have been developed over a Apache v1.3 + PHP v4.0.6
platform running in Windows 98 SE and have been fully tested in
Internet Explorer v5.5"
ummm.. ok hint: it runs on most anything with php installed
VUNERABILITY / EXPLOIT
======================
Another very popular "guestbook" type of php script with many flaws...
1. XSS Vunerabilities lay in almost every field EXCEPT the message
body.
as a note HTML is defined as "off" by default in sign.php
the JS code is rendered / executed in the the users browser upon
trivial visit to
http://[host]/blackbook/index.php
2. Default user / password is "admin / pass" and stored plaintext in
"config.php"
3. posts are stored in /blackbook/data/data.dat which is not protected
by default
information includes user / ip info and message info. the setup
appears to set
this perm, but it does not. setting up on a NT box completly makes the
user belive
it is setting perms 666, 777 etc.. ( umm.. this aint your fathers
*nix )
4. phpinfo.php , lets help remote enumeration some huh?
ref: http://security.opennet.ru/base/exploits/1054831094_2217.txt.html
Local:
------
yes, cleartext in config.php
Remote:
-------
yup we got XSS and stuff via remote
Vendor Fix:
-----------
There is no fix on 0day
Vendor Contact:
---------------
Concurrent with this advisory
ej3 (at) myrealbox (dot) com [email concealed]
Credits:
--------
Donnie Werner
morning_wood (at) exploitlabs (dot) com [email concealed]
http://exploitlabs.com
Original advisory may be found at
http://exploitlabs.com/files/advisories/EXPL-A-2003-015-blackbook.txt
- EXPL-A-2003-015 exploitlabs.com Advisory 015
------------------------------------------------------------------
-= BlackBook =-
Donnie Werner
July 11, 2003
Vunerability(s):
----------------
1. XSS executes JS in PHP remotely
2. Default and plaintext password
3. File premission issues
4. phpinfo.php
Product:
--------
EJ3 BlackBook v1.0 - S.10-VIII-2002
http://membres.lycos.fr/eejj33/blackbook_en.php
http://membres.lycos.fr/eejj33/download/blackbook10.zip
Description of product:
-----------------------
"BlackBook is a complete guestbook script with tons of features
that don't need MySQL to work. Search, compare & if you find
a guestbook better that BlackBook, use it!! Author: Emilio José
Jiménez
Requirements:
Webspace with PHP4 support.
TOPo have been developed over a Apache v1.3 + PHP v4.0.6
platform running in Windows 98 SE and have been fully tested in
Internet Explorer v5.5"
ummm.. ok hint: it runs on most anything with php installed
VUNERABILITY / EXPLOIT
======================
Another very popular "guestbook" type of php script with many flaws...
1. XSS Vunerabilities lay in almost every field EXCEPT the message
body.
as a note HTML is defined as "off" by default in sign.php
"<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie
);</SCRIPT>"
the JS code is rendered / executed in the the users browser upon
trivial visit to
http://[host]/blackbook/index.php
2. Default user / password is "admin / pass" and stored plaintext in
"config.php"
3. posts are stored in /blackbook/data/data.dat which is not protected
by default
information includes user / ip info and message info. the setup
appears to set
this perm, but it does not. setting up on a NT box completly makes the
user belive
it is setting perms 666, 777 etc.. ( umm.. this aint your fathers
*nix )
4. phpinfo.php , lets help remote enumeration some huh?
ref: http://security.opennet.ru/base/exploits/1054831094_2217.txt.html
Local:
------
yes, cleartext in config.php
Remote:
-------
yup we got XSS and stuff via remote
Vendor Fix:
-----------
There is no fix on 0day
Vendor Contact:
---------------
Concurrent with this advisory
ej3 (at) myrealbox (dot) com [email concealed]
Credits:
--------
Donnie Werner
morning_wood (at) exploitlabs (dot) com [email concealed]
http://exploitlabs.com
Original advisory may be found at
http://exploitlabs.com/files/advisories/EXPL-A-2003-015-blackbook.txt
[ reply ]