BugTraq
OpenGuestbook Cross Site Scripting & SQL Injection Jun 25 2006 07:07AM
simo64 gmail com
Produce : Open Guestbook 0.5

Site : http://sourceforge.net/projects/openguestbook

Discovred by: Moroccan Security Team (Simo64)

Greetz to : And All Friends :)

Details :

=========

[+]Cross Site Scripting

************************

[-]vulnerable code in header.php on line 5

[1] <html>

[2]

[3] <head>

[4]

[5] <title><? echo "$title"; ?></title>

--------------------

Exploit : http://localhost/openguestbook/header.php?title=</title>[XSS]

[-] Solution

edit line 5 on header.php

[5] <title><? echo htmlspecialchars($title); ?></title>

[+]SQL Injection

******************

[-]vulnerable code near lines 23 - 28

[23] if (empty($offset)) {

[24] $offset=0;

[25] }

[26]

[27] // get results

[28] $result=mysql_query("SELECT * FROM $tentries ORDER BY ID DESC limit $offset,$limit");

[-]Exploit : http://localhost/openguestbook/view.php?offset=[SQL]

[-]Solution :

edit line 23 in view.php

[23] if (empty($offset) OR !is_numeric($offset) {

[24] $offset=0;

[+] Contact :

**************

simo64[at]gmail[dot]com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus