Date: Wed, 3 Apr 2002 10:57:34 +0200
From: Florian Hobelsberger / BlueScreen <genius28@gmx.de>
To: bugtraq@securityfocus.com, Noam Rathaus <news@securiteam.com>
Subject: Dynamic Guestbook V3.0 Cross Site Scripting and Arbitrary Command Execution under certain circumstances
-------------------------------------------------------------
itcp advisory 7 advisories@it-checkpoint.net
http://www.it-checkpoint.net/advisory/7.html
April 3rd, 2002
-------------------------------------------------------------
Dynamic Guestbook V3.0 Cross Site Scripting and Arbitrary Command Execution
under certain circumstances
----------------------------------------------
Affected program: Dynamic Guestbook V3.0
Vendor: www.gcf.de (German Computer Freaks)
Vulnerability-Class: XSS / Arbitrary Command Execution under certain
circumstances
OS specific: as far as i know: no
Problem-Type: remote
Certified with: Windows 2000 and Xitami Webserver
SUMMARY
Dynamic Guestbook V3.0 doesn't check for bad user input (like PHP-Code or
Java Scripts). Under certain
circumstances it is possible to execute arbitrary commands on the server.
DETAILS
As you can see, in this script which is used to write the user input into a
file (usually gb.data) the input is not
tested for Cross Site Scripting or any malicious characters.
###################### quote source ############################
##### жffnen der Datei um zu lesen #####
open (GBDB, $in{gbdaten});
@inhalt = <GBDB>;
close (GBDB);
##### Eintrag an den Anfang des Files schreiben #####
chomp($date);
open (GBDB, ">>$gbdaten") || print "Konnte nicht in $gbdaten schreiben";
print GBDB
"$in{name}:|:$in{mail}:|:$date:|:$ENV{'REMOTE_ADDR'}:|:$in{kommentar}\n";
foreach $zeile (@inhalt) {
print GBDB $zeile;
}
close (GBDB);
################### /quote ##########################
IMPACT
Commands can possibly executed with the rights of the current user.
Also, Cross Site Scripting is possible.
EXPLOIT
A proof of concept exploit will be released in an updated Advisory in the
end of April at
http://www.it-checkpoint.net/advisory/7.html
ADDITIONAL INFORMATION
Vendor has been contacted with an Advisory including a proof of concept
exploit.
Bug discovered and published by Florian
Hobelsberger (BlueScreen) from www.IT-Checkpoint.net
--------------------------------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
