Dynamic Guestbook V3.0 Cross Site Scripting and Arbitrary Command Execution under certain circumstances

From: Florian Hobelsberger / BlueScreen (genius28at_private)
Date: Wed Apr 03 2002 - 00:57:34 PST

Next message: 3APA3A: "SECURITY.NNO: FTGate PRO/Office hotfixes"

Previous message: a b: "Quik-Serv Web Server v1.1B Arbitrary File Disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-------------------------------------------------------------
itcp advisory 7 advisories@it-checkpoint.net
http://www.it-checkpoint.net/advisory/7.html
April  3rd, 2002
-------------------------------------------------------------



Dynamic Guestbook V3.0 Cross Site Scripting and Arbitrary Command Execution
under certain circumstances
----------------------------------------------

Affected program: Dynamic Guestbook V3.0
Vendor: www.gcf.de  (German Computer Freaks)
Vulnerability-Class: XSS / Arbitrary Command Execution under certain
circumstances
OS specific: as far as i know: no
Problem-Type: remote
Certified with: Windows 2000 and Xitami Webserver



SUMMARY

Dynamic Guestbook V3.0 doesn't check for bad user input (like PHP-Code or
Java Scripts). Under certain
circumstances it is possible to execute arbitrary commands on the server.


DETAILS

As you can see, in this script which is used to write the user input into a
file (usually gb.data) the input is not
tested for Cross Site Scripting or any malicious characters.
###################### quote source ############################

##### Öffnen der Datei um zu lesen #####
open (GBDB, $in{gbdaten});
@inhalt = <GBDB>;
close (GBDB);
##### Eintrag an den Anfang des Files schreiben #####
chomp($date);
open (GBDB, ">>$gbdaten") || print "Konnte nicht in $gbdaten schreiben";
print GBDB
"$in{name}:|:$in{mail}:|:$date:|:$ENV{'REMOTE_ADDR'}:|:$in{kommentar}\n";
foreach $zeile (@inhalt) {
print GBDB $zeile;
}
close (GBDB);

################### /quote ##########################

IMPACT

Commands can possibly executed with the rights of the current user.
Also, Cross Site Scripting is possible.


EXPLOIT

A proof of concept exploit will be released in an updated Advisory in the
end of April at

http://www.it-checkpoint.net/advisory/7.html



ADDITIONAL INFORMATION
Vendor has been contacted with an Advisory including a proof of concept
exploit.


Bug discovered and published by  Florian
Hobelsberger (BlueScreen) from www.IT-Checkpoint.net


--------------------------------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

Next message: 3APA3A: "SECURITY.NNO: FTGate PRO/Office hotfixes"
Previous message: a b: "Quik-Serv Web Server v1.1B Arbitrary File Disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 18:39:14 PST