.:. MicroGuestBook Remote XSS Bug .:.
Date:
-----
July 2006, 22
Product:
--------
MicroGuestBook Latest Version
Vendor:
-------
http://www.phptoys.com
Description:
------------
Micro guestbook is a MySQL based guestbook script with a CSS based attractive interface. It can store the name, date,
message, location, web and email information of the visitor.
Exploit(s)/Advisory(ies):
-------------------------
The application is vulnerable to a Remote XSS Bug. The field 'name' and 'comment' are not properly sanitized before being
used, so a malicious people can exploit this vulnerability to inject arbitrary HTML and script code.
If you look the code in add.php you can see:
[...]
if (isset($_POST['submitBtn'])) {
$name = (isset($_POST['name'])) ? $_POST['name'] : '' ;
$comment = (isset($_POST['comment'])) ? $_POST['comment'] : '' ;
$location = (isset($_POST['location'])) ? $_POST['location'] : '' ;
$website = (isset($_POST['website'])) ? $_POST['website'] : '' ;
$email = (isset($_POST['email'])) ? $_POST['email'] : '' ;
$actDate = date("Y-m-d H:i:s");
//Minimum name and comment length.
if ((strlen($name) > 2) && (strlen($comment) > 5)){
$sql = "INSERT INTO guestbook (name,text,insertdate,location,web,email) VALUES (";
$sql .= "'".$name."','".$comment."','".$actDate."','".$location."','".$website."
','".$email."')";
$MyDb->f_ExecuteSql($sql);
[...]
And in index.php you will see:
[...]
<div id="name"><?php echo $row['name']; ?></div>
<div id="info">
<div id="infoicons">
<?php
if (strlen($row['web']) > 5) echo '<a href="http://'.$row['web'].'"><img src="style/www.gif"></a>';
if (strlen($row['email']) > 5) echo '<a href="mailto:'.$row['email'].'"><img src="style/mail.gif"></a>';
?>
</div>
<div id="infodate"><?php echo $row['insertdate']; ?></div>
</div>
</div>
<div id="base">
<div id="icon"><?php echo $row['location']; ?></div>
<div id="text"><?php echo nl2br($row['text']); ?></div>
[...]
PoC(s):
-------
You can put your own HTML or script code in the field name or comment. Try:
<script>alert("XSS")</script>
Vendor Status:
--------------
[July 2006, 22] Vendor contacted!
Patches:
--------
[July 2006, 22] At the moment there is no patch available from the vendor. You can take a look at this site if a patch will
be posted up:
http://www.phptoys.com
If you don't wanna wait, edit the source code to ensure that input is properly sanitised.
Credits:
--------
omnipresent
omnipresent[at]email[dot]it
http://it.security.netsons.org