myGuestBk Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1006394 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 28 2003
|
Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Description: An input validation vulnerability was reported in myGuestBk (also known as 'my guest book'). A remote user can conduct cross-site scripting attacks. A remote user can also gain administrative access to the guest book.
DWC Gr0up reported that the script does not filter HTML code from user-supplied e-mail names or guest book messages. A remote user
can submit a specially crafted value so that when a target user views the guest book entry, arbitrary scripting code will be executed
by the target user's browser. The code will originate from the site running the guest book software and will run in the security
context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies),
if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on
the site acting as the target user.
A demonstration exploit is provided:
http://[target]/myguestBk/add1.asp?name=Name&subject=Subj&email=M@IL&message=<script>alert
("Test!")</script>
Some demonstration exploit message contents are provided:
<script>alert ("Test!")</script>
A remote
user can reportedly access the administration control panel with the following URL:
http://[target]/myguestBk/admin/index.asp
A
remote user can also delete guest book entries with the following type of URL:
http://[target]/myguestBk/admin/delEnt.asp?id=[NEWSNUMBER]
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running myGuestBk,
access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A
remote user can gain administrative access to the application.
|
Solution: No solution was available at the time of this entry. The vendor's web site indicates that the product is no longer supported.
|
Vendor URL: www.myscript.co.il/myscript/index.asp (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: Over_G <overg@mail.ru>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 27 Mar 2002 18:07:27 +0300
From: Over_G <overg@mail.ru>
Subject: Vulnerability in my guest book
|
Product: My guest book
Version: ?
OffSite: ?
Problem: CSS and unauthorized access in admin panel
--------------------------------------------------------------
1)Cross Site scripting
http://[target]/myguestBk/add1.asp?name=Name&subject=Subj&email=M@IL&message=<scr*pt>
alert ("Test!")</scr*pt>
Or open http://[target]/myguestBk/add.asp and write in "Message" field:
<scr*pt>alert ("Test!")</scr*pt> and press "Post Message".
2)Unauthorized access in admin panel
http://[target]/myguestBk/admin/index.asp
Delete news:
http://[target]/myguestBk/admin/delEnt.asp?id=NEWSNUMBER
with NEWSNUMBER - news number in database.
Contacts: www.overg.com www.dwcgr0up.com
irc.zaingandol.org #DWC
ogprog@ukr.net
Best regards, Over G[DWC Gr0up]
|
|
