###################################################################### # # Mambo Component AkoBook <= 3.42 - XSS/Script Injection Vulnerability # # Date : 04-september-2007 # Risk : Low # Vendor URL : http://www.mamboportal.com # Dork : allinurl: index.php?option=com_akobook # # Found By : Rubn Ventura Pi&#241;a (Trew) # Contact Info : http://trew.icenetx.net # trew.revolution@gmail.com # ICEnetX Team - http://icenetx.net # ###################################################################### # # Greetings oh earthlings: # Ayzax, BRIO, Gaper, (All ICEnetX Team), n3, Tog, ta^3, Paisterist, # kbyte, and to all people who likes H.I.M, lol. # # "Maybe you can't break the system, but you can always hack it." # ###################################################################### # ## Vulnerability ## # # AkoBook is a Guestbook component for Mambo. A vulnerability in AkoBook # 3.42 and earlier versions can be exploited by malicious people to conduct # cross-site scripting attacks. # # Input passed to the "gbmail" and "gbpage" parameters in the signing page # (generally index.php?option=com_akobook&func=sign) is not properly santised. # This can be exploited to inject script code into the page, and as a result # conduct a persistente XSS attack. # # Some characters as "<" and ">" are not allowed but simple quotes can still # be used. The following code in one of the vulnerable inputs would result in # a XSS: # Injection: wawa' onload=javascript:alert(/XSS/) a=' # # After the script is sent, it should appear in the guestbook source code # like this, exploiting the XSS flaw: # # <a href='http://wawa' onload=javascript:alert(/XSS/) a=''> # <img src='homepage.gif' alt='http://wawa' onload=javascript:alert(/XSS/) a=''></a> # # ## How to fix ## # # Santise quotes properly in all the form inputs. # # wawawa # [EOF]