AresU Advisory
19/July/2002

Easy Guestbook Vulnerabilities

Severity : High (Possible to edit member
homepage)
Systems Affected: Easy Guestbook v1.0
Vendor URL : http://www.easyscripts.co.uk
Vuln Type : It does not use Access Validation to
delete the entries and login as Admin Control.
Author : AresU
Greetz to : Bosen, Tioeuy, eF73, SakitJiwa,
nimdA, Br0374l, FreshFirst, Algorithm, Mr.Padang
Adv.URL :
http://bosen.net/advisories/aresu-adv.002.txt

Summary
=======
1) Everyone can delete the entries and login as Admin
Control.
2) Everyone can reconfigure Guestbook when they open
config.cgi and change Admin Password.

Solution
========
1) Add Access Validation on "delete_message" function
and "start" function.

   Add admin.cgi with this code:
   sub login_verify
   {
        chomp($FORM{'login_username'});
        chomp($FORM{'login_password'});
        if (!($FORM{'login_username'} eq $username &&
$FORM{'login_password'} eq $password))
        {
          dienice("Sorry, but you have entered an
invalid username or password. Please press the 'back'
button on your browser to return to the Login
Screen.");
        }
   }
  
   And on the first line of "delete_message" function
and "start" function add this:
   &login_verify;

   And on the "start" function add this code in the
<FORM>:
   <input type="hidden" name="login_username"
value="$FORM{'login_username'}">
   <input type="hidden" name="login_password"
value="$FORM{'login_password'}">
   
2) Delete config.cgi after you finish configure the
Guestbook.

Acknowledgments
===============
Vulnerability discovery, exploit code, and advisory by
AresU

Vendor Response
===============
Vendor has been contacted for about 10 days but they
still didn't fix yet.

Exploit Code
============
Change action in the html form.

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

• application/x-zip-compressed attachment: easyguestbook.zip

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]