OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Sat Mar 16 2002 - 17:10:03 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+
    +/---------\------- Security Advisory -----/---------/+
    +/----------\------ ID: ARL02-A08 ----/----------/+
    +/-----------\----- salperolympos.org ---/-----------/+


    Advisory Information
    --------------------
    Name : BG Guestbook Cross Site Scripting
    Vulnerability
    Software Package : BG Guestbook
    Vendor Homepage : http://billyg.no-
    ip.com:8080/bggb/
    Vulnerable Versions: v1.0
    Platforms : PHP & MySQL dependent
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 15/03/2002
    Vendor Replied : waiting for reply (5 days left)
    Prior Problems : N/A
    Current Version : v1.1 (immune)


    Summary
    -------
    BG GuestBook a php guestbook that utilizes mysql,
    has a Macromedia Flash interface and is also
    capable of using HTML only, where Flash is not
    supported.

    A Cross Site Scripting vulnerability exists in BG
    GuestBook. This would allow a remote attacker to
    send information to victims from untrusted web
    servers, and make it look as if the information
    came from the legitimate server.


    Details
    -------
    Both the Flash and HTML only versions are
    vulnerable to Cross Site Scripting attacks.
    All of the input fields (including name, email, AIM,
    location, website and message) in the posting form
    are vulnerable to this type of attack.


    Example input to any of the above fields:
    <script>alert("ALPERz was here!")</script>

    After submitting this information, whenever anyone
    browses the guestbook's main page, the script will
    take effect.


    Solution
    --------
    The vendor confirmed the vulnerability and released a
    new version on the same day of the bug's discovery.

    I suggested the following as a workaround:
    Strip HTML tags, and possibly other malicious code
    within "signgbook.php".
    I suggest the following as a workaround;
    At the beginning of "signgbook.php" add the lines
    below;

    # Patch Start
    $name= strip_tags ($name);
    $email= strip_tags ($email);
    $aimscr= strip_tags ($aimscr);
    $website= strip_tags ($website);
    $loc= strip_tags ($loc);
    $msg= strip_tags ($msg);
    # Patch End


    Credits
    -------
    Discovered on 15, March, 2002 by
    Ahmet Sabri ALPER
    salperolympos.org
    http://www.olympos.org


    References
    ----------
    Product Web Page: http://billyg.no-ip.com:8080/bggb/