|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
OpenGuestbook Cross Site Scripting & SQL Injection
simo64
gmail.com
Date: Sun Jun 25 2006 - 02:07:33 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Produce : Open Guestbook 0.5
Site : http://sourceforge.net/projects/openguestbook
Discovred by: Moroccan Security Team (Simo64)
Greetz to : And All Friends :)
Details :
=========
[+]Cross Site Scripting
************************
[-]vulnerable code in header.php on line 5
[1] <html>
[2]
[3] <head>
[4]
[5] <title><? echo "$title"; ?></title>
--------------------
Exploit : http://localhost/openguestbook/header.php?title=</title>[XSS]
[-] Solution
edit line 5 on header.php
[5] <title><? echo htmlspecialchars($title); ?></title>
[+]SQL Injection
******************
[-]vulnerable code near lines 23 - 28
[23] if (empty($offset)) {
[24] $offset=0;
[25] }
[26]
[27] // get results
[28] $result=mysql_query("SELECT * FROM $tentries ORDER BY ID DESC limit $offset,$limit");
[-]Exploit : http://localhost/openguestbook/view.php?offset=[SQL]
[-]Solution :
edit line 23 in view.php
[23] if (empty($offset) OR !is_numeric($offset) {
[24] $offset=0;
[+] Contact :
**************
simo64[at]gmail[dot]com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]