[ARL02-A08] BG Guestbook Cross Site Scripting Vulnerability

From: Ahmet Sabri ALPER (s_alperat_private)
Date: Sat Mar 16 2002 - 15:10:03 PST

Next message: Florian Weimer: "Re: about zlib vulnerability - Microsoft products"

Previous message: Ahmet Sabri ALPER: "[ARL02-A10] News-TNK Cross Site Scripting Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+ +/---------\------- Security Advisory -----/---------/+ +/----------\------ ID: ARL02-A08 ----/----------/+ +/-----------\----- salperat_private ---/-----------/+ Advisory Information -------------------- Name : BG Guestbook Cross Site Scripting Vulnerability Software Package : BG Guestbook Vendor Homepage : http://billyg.no- ip.com:8080/bggb/ Vulnerable Versions: v1.0 Platforms : PHP & MySQL dependent Vulnerability Type : Input Validation Error Vendor Contacted : 15/03/2002 Vendor Replied : waiting for reply (5 days left) Prior Problems : N/A Current Version : v1.1 (immune) Summary ------- BG GuestBook a php guestbook that utilizes mysql, has a Macromedia Flash interface and is also capable of using HTML only, where Flash is not supported. A Cross Site Scripting vulnerability exists in BG GuestBook. This would allow a remote attacker to send information to victims from untrusted web servers, and make it look as if the information came from the legitimate server. Details ------- Both the Flash and HTML only versions are vulnerable to Cross Site Scripting attacks. All of the input fields (including name, email, AIM, location, website and message) in the posting form are vulnerable to this type of attack. Example input to any of the above fields: <script>alert("ALPERz was here!")</script> After submitting this information, whenever anyone browses the guestbook's main page, the script will take effect. Solution -------- The vendor confirmed the vulnerability and released a new version on the same day of the bug's discovery. I suggested the following as a workaround: Strip HTML tags, and possibly other malicious code within "signgbook.php". I suggest the following as a workaround; At the beginning of "signgbook.php" add the lines below; # Patch Start $name= strip_tags ($name); $email= strip_tags ($email); $aimscr= strip_tags ($aimscr); $website= strip_tags ($website); $loc= strip_tags ($loc); $msg= strip_tags ($msg); # Patch End Credits ------- Discovered on 15, March, 2002 by Ahmet Sabri ALPER salperat_private http://www.olympos.org References ---------- Product Web Page: http://billyg.no-ip.com:8080/bggb/

Next message: Florian Weimer: "Re: about zlib vulnerability - Microsoft products"
Previous message: Ahmet Sabri ALPER: "[ARL02-A10] News-TNK Cross Site Scripting Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 18:10:21 PST