From: Markus Arndt <markus-arndt@web.de> To: bugtraq@securityfocus.com Subject: Philip Chinery's Guestbook 1.1 fails to filter out js/html Date: Sun, 21 Apr 2002 11:03:07 +0200 Target: Philip Chinery's Guestbook 1.1 (maybee older versions?) Vendor: http://www.sector7g.de.vu Notified Vendor: Sure Affected Systems: Webservers that run "Philip Chinery's Guestbook 1.1" Found by: Markus Arndt<markus-arndt@web.de> Short Description: Philip Chinery's Guestbook 1.1 fails to filter out JScript/HTML (CrossSiteScripting) This nice lil' guestbook let's the owner choose to filter out Jscript- and/or HTML-entrys.. Let's see the start of it's sub where it saves an entry: ---code starts--- sub SaveData { if($kill_html == 1) { $Text =~ s/<([^>]|\n)*>//g; } if($kill_html == 2) { $Text =~ s/</</g; $Text =~ s/>/>/g; } if ($kill_java) { $Text =~ s/<!--(.|\n)*-->//g; } $Text =~ s/\n/ <br>/g; $Text =~ tr/|/ /; $Text =~ s/\t/ /g; $Text =~ s/\cM//g; ---code ends--- That's all it filters out.. As we can see it does only filter the comment itself a user wrote! For example the fields "Name", "EMail" or "Homepage" are NOT checked! So let's build an url to exploit this.. http://[target]/cgi-bin/guestbook.pl?action=sign&cwrite=none&Name=<script>alert("gotcha!");</script>&EMail=example@example.com&Text=css%20example This would post a message that would display an alertbox on a visiotrs screen when accessing the gb.. As I noticed the guestbook logs ipadresses but doesn't prevent spam. It also automaticly redirects posters back to the mainguestbook-page. That makes it very easy to post entrys that e.g. force visitors to spam the guestbook (really anoying). Sorry for bad english, hope you can understand what i'm talkin' about. ;) Markus Arndt<markus-arndt@web.de> http://skka.de ______________________________________________________________________________ 100 MB und noch mehr gute Gründe! Jetzt anmelden und profitieren. Da ist mehr für Sie drin unter http://club.web.de/?mc=021103