![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Markus Arndt <markus-arndt@web.de>
To: bugtraq@securityfocus.com
Subject: Philip Chinery's Guestbook 1.1 fails to filter out js/html
Date: Sun, 21 Apr 2002 11:03:07 +0200
Target:
Philip Chinery's Guestbook 1.1 (maybee older versions?)
Vendor:
http://www.sector7g.de.vu
Notified Vendor:
Sure
Affected Systems:
Webservers that run "Philip Chinery's Guestbook 1.1"
Found by:
Markus Arndt<markus-arndt@web.de>
Short Description:
Philip Chinery's Guestbook 1.1 fails to filter out JScript/HTML (CrossSiteScripting)
This nice lil' guestbook let's the owner choose to filter out Jscript- and/or HTML-entrys..
Let's see the start of it's sub where it saves an entry:
---code starts---
sub SaveData
{
if($kill_html == 1) {
$Text =~ s/<([^>]|\n)*>//g;
}
if($kill_html == 2) {
$Text =~ s/</</g;
$Text =~ s/>/>/g;
}
if ($kill_java) {
$Text =~ s/<!--(.|\n)*-->//g;
}
$Text =~ s/\n/ <br>/g;
$Text =~ tr/|/ /;
$Text =~ s/\t/ /g;
$Text =~ s/\cM//g;
---code ends---
That's all it filters out.. As we can see it does only filter the comment itself a user wrote!
For example the fields "Name", "EMail" or "Homepage" are NOT checked!
So let's build an url to exploit this..
http://[target]/cgi-bin/guestbook.pl?action=sign&cwrite=none&Name=<script>alert("gotcha!");</script>&EMail=example@example.com&Text=css%20example
This would post a message that would display an alertbox on a visiotrs screen
when accessing the gb..
As I noticed the guestbook logs ipadresses but doesn't prevent spam.
It also automaticly redirects posters back to the mainguestbook-page.
That makes it very easy to post entrys that e.g. force visitors to spam the guestbook (really anoying).
Sorry for bad english, hope you can understand what i'm talkin' about. ;)
Markus Arndt<markus-arndt@web.de>
http://skka.de
______________________________________________________________________________
100 MB und noch mehr gute Gründe! Jetzt anmelden und profitieren. Da ist mehr
für Sie drin unter http://club.web.de/?mc=021103