Jason Maloney's Guestbook XSS Vulnerability.
~*~*~*~*~*~*~
Introduction
~*~*~*~*~*~*~
Jason Maloney's Guestbook is a simple CGI script which
is both an easy to use and easy to setup guestbook
script. The script fails to carefully sanitize user
input, such as certain dangerous metacharacters,
resulting in an XSS vulnerability.
~*~*~*~*~*~*~
The Bug
~*~*~*~*~*~*~
During the user-input parsing routine, below, the
guestbook script performs poor user-input
sanitization, resulting in an XSS vulnerability. Here
is the vulnerable code:
############### START HERE ###############
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;
$value =~ s/<!--(.|\n)*-->//g;
if ($allow != 1) {
$value =~ s/<([^>]|\n)*>//g;
}
$FORM{$name} = $value;
}
################ END HERE ################
The code fails to properly check for and eliminate
some dangerous metacharacters such as '<' and '>' in
some places, thus resulting in the potential to embed
pieces of javascript and other malicious code into
form fields.
~*~*~*~*~*~*~
Impact
~*~*~*~*~*~*~
Allows malicious users to execute script as other
users.
~*~*~*~*~*~*~
The Exploit
~*~*~*~*~*~*~
During the input of information into the fields in the
guestbook message posting form, an attacker can simply
insert malicious javascript code into a text field,
such as the 'name' field.
Simple insert
'<script>alert("Vulnerable")</script>'
into the 'name' field and post a message to test the
vulnerability out. An alert window will appear with
containing the string "Vulnerable". When a user
visits the guestbook page, the popup will appear
again, thus the potential for code execution is
existant. An attacker can easily insert more
malicious javascript depending on her intentions.
~*~*~*~*~*~*~
The Fix
~*~*~*~*~*~*~
The vulnerability can be fixed by applying the
following simple diff patch via the command 'patch
guest.cgi guest.patch'.
(I'm sorry for the size of it - I'm new to diff and
couldn't figure out how to decrease the size. Anybody
with the answer, please kindly email me :-))
############### START HERE ###############
--- guest.cgi 2003-12-03 16:07:15.000000000 +0000
+++ guest1.cgi 2003-12-05 17:05:31.000000000 +0000
@@ -1,280 +1,282 @@
-#!/usr/local/bin/perl
-#######################################################
-# Program - Guestbook - version 3.0
#
-# Updated April 16, 1998
#
-#
#
-# This is a Guestbook program that logs the Name,
#
-# E-mail, URL, City, State and a Comment. The
#
-# person, however, must enter their Name, E-mail,
#
-# and a Comment.
#
-#
#
-# MAKE SURE THAT YOU READ OVER THE TERMS OF AGREEMENT
#
-# BEFORE USING THIS SCRIPT. BY USING THIS SCRIPT,
#
-# YOU ARE AGREEING TO ABIDE BY THEM. HOWEVER, IF YOU
#
-# DON'T AGREE WITH IT, THEN DON'T USE MY SCRIPTS.
#
-# PLEASE READ THE 'README.TXT' FILE BEFORE
INSTALLING.#
-# KEEP IN MIND THAT JASON'S SCRIPTS & THE AESTHETIC
#
-# SURGERY CENTER SHALL NOT BE HELD LIABLE FOR ANY
#
-# DAMAGES THAT MAY OCCUR FROM DOWNLOADING AND/OR
#
-# INSTALLING MY PROGRAMS. USE AT YOUR OWN RISK!
#
-#
#
-# A Few liness came from Matt's Scripts @
#
-# http://www.worldwidemart.com/scripts
#
-#######################################################
-$directory_gbook =
"/usr/users/guestbook/guestbook.html";
-$guestbook =
"http://www.yourdomain.com/guestbook/guestbook.html";
-$cgi =
"http://www.yourdomain.com/guestbook/guest.cgi";
-$base = "http://www.yourdomain.com/guestbook/";
-$gif1 = "add.gif";
-$gif2 = "miss.gif";
-$gif3 = "thanks.gif";
-$gif4 = "blueline.gif";
-
-$mail = 1;
-$mailto = 'user@xxxxxxxxxxxxxxx';
-
-############################################################
-#Don't touch, these are necessary to run the script!
-$mailprog = '/usr/lib/sendmail';
-$entry = 1;
-$allow = 1;
-$date_command = "/usr/bin/date";
-############################################################
-$date = `$date_command +"%B %d, %Y"`; chop($date);
-
-read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
-@pairs = split(/&/, $buffer);
-foreach $pair (@pairs) {
- ($name, $value) = split(/=/, $pair);
- $value =~ tr/+/ /;
- $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;
- $value =~ s/<!--(.|\n)*-->//g;
-
- if ($allow != 1) {
- $value =~ s/<([^>]|\n)*>//g;
- }
-
- $FORM{$name} = $value;
-}
-
-########
-#Checks to see that the comments, name and e-mail
address were added!
-&no_comments unless $FORM{'comments'};
-&no_name unless $FORM{'name'};
-&no_email unless $FORM{'email'};
-
-######
-#Checks to see if the E-mail address is in the normal
form,
-#yourname@xxxxxxxxxxxxxxx
-
-if (&email_check($FORM{'email'})) {
-}
-else {
-&no_email;
-}
-
-#######
-#Opens 'guestbook.html' for writting
-open (FILE,"$directory_gbook") || die "Can't Open
$directory_gbook: $!\n";
-@LINES=<FILE>;
-close(FILE);
-$SIZE=@LINES;
-
-# Open Link File to Output
-open (GUEST,">$directory_gbook") || die "Can't Open
$directory_gbook: $!\n";
-
-for ($i=0;$i<=$SIZE;$i++) {
- $_=$LINES[$i];
- if (/<!--add-->/) {
- if ($entry eq '1') {
- print GUEST "<!--add-->\n";
- }
- print GUEST "<TABLE CELLPADDING=0
CELLSPACING=1 BORDER=0>\n";
- if ( $FORM{'name'}) {
- print GUEST "<TR><TD><B>Name:</B></TD>
<TD>$FORM{'name'} - $date</TD></TR>\n";
- }
- if ($FORM{'email'}) {
- print GUEST "<TR><TD><B>E-mail:</B></TD>
<TD><A HREF=\"mailto:$FORM{'email'}\">
$FORM{'email'}</A></TD></TR>\n";
- }
- if ($FORM{'url'} ne "http://") {
- print GUEST "<TR><TD><B>My URL:</B></TD>
<TD><A
HREF=$FORM{'url'}>$FORM{'url'}</A></TD></TR>\n";
- }
- else {
- }
- if ( $FORM{'city'} ){
- print GUEST "<TR><TD><B>Location: </B></TD>
<TD>$FORM{'city'}";
- print GUEST ",
$FORM{'state'}
$FORM{'country'}</TD></TR>\n";
- }
- print GUEST "<TR><TD
VALIGN=top><B>Comments: </B></TD> \n";
- print GUEST
"<TD>$FORM{'comments'}</TD></TR></TABLE><P>\n";
- print GUEST "<CENTER><IMG
SRC=\"$base$gif4\"></CENTER><BR>\n\n\n";
- if ($entry eq '0') {
- print GUEST "<!--add->\n";
- }
- }
- else {
- print GUEST $_;
- }
-}
-close (GUEST);
-
-#########
-# Mail Option
-if ($mail eq '1') {
- open (MAIL, "|$mailprog $mailto") || die "Can't
open $mailprog!\n";
- print MAIL "Reply-to: $FORM{'email'}
($FORM{'name'})\n";
- print MAIL "From: $FORM{'email'}
($FORM{'name'})\n";
- print MAIL "Subject: Entry to YOUR Guestbook\n\n";
- print MAIL "$FORM{'name'} <$FORM{'email'}> has
made an entry to your guestbook!\n";
- print MAIL " - $date\n";
- close (MAIL);
-}
-
-##############
-# Print Thank You HTML
- print "Content-Type: text/html\n\n";
- print "<HTML>\n";
- print "<TITLE>Thank You</TITLE>\n";
- print "<BODY BGCOLOR=#FFFFFF>\n";
- print "<CENTER><IMG
SRC=\"$base$gif3\"></CENTER><BR>\n";
- print "Thank you, your entry has been added to
our";
- print "<A HREF=\"$guestbook\">
guestbook.</A><P>\n";
- print "Here is what you submitted:<P>\n";
- print "<CENTER><IMG
SRC=\"$base$gif4\"></CENTER><BR>\n";
- if ( $FORM{'name'}) {
- print "<B>Name:</B> $FORM{'name'} -
$date<BR>\n";
- }
- if ($FORM{'email'}) {
- print "<B>My E-mail:</B> <a
href=\"mailto:$FORM{'email'}\">
$FORM{'email'}</a><BR>\n";
- }
- if ($FORM{'url'} ne "http://") {
- print "<B>My URL:</B> <a
href=$FORM{'url'}>$FORM{'url'}</a><BR>\n";
- }
- else {
- }
- if ( $FORM{'city'} ){
- print "<B>Location: </B>$FORM{'city'}";
- print ",
$FORM{'state'}
$FORM{'country'}<BR>";
- }
- print "<BR><BR><B>Comments:</B>\n";
- print "$FORM{'comments'}<BR>\n";
- print "<CENTER><IMG
SRC=\"$base$gif4\"></CENTER><BR><BR>\n";
- print "</body></html>\n";
- exit;
-
-
-#######################
-# Subroutines
-sub no_name {
- print "Content-type: text/html\n\n";
- print "<HTML>\n";
- print "<TITLE>No Name</TITLE>\n";
- print "<BODY BGCOLOR=#FFFFFF>\n";
- print "<CENTER><IMG
SRC=\"$base$gif2\"></CENTER><BR>\n";
- print "You forgot to fill in your Name. We need
this in order to\n";
- print "process your entry. Please add your name in
the blank below.<p>\n";
- print "<TABLE CELLSPACING=3 CELLPADDING=2>\n";
- print "<FORM METHOD=POST ACTION=\"$cgi\">\n";
- print "<TR><TD><B>Name:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"name\" ";
- print "SIZE=50></TD></TR>\n";
- print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"email\" ";
- print "VALUE=\"$FORM{'email'}\"
SIZE=50></TD></TR>\n";
- print "<TR><TD><B>URL:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"url\" ";
- print "VALUE=\"$FORM{'url'}\"
SIZE=50></TD></TR>\n";
- print "<TR><TD><B>City:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"city\" ";
- print "VALUE=\"$FORM{'city'}\" SIZE=15>\n";
- print
"
";
- print "<B>State:</B><INPUT TYPE=TEXT
NAME=\"state\" value=\"$FORM{'state'}\" ";
- print "size=2>
<B>Country:</B> ";
- print "<INPUT TYPE=TEXT NAME=\"country\"
VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n";
- print "<TR><TD><B>Comments:</B></TD><TD>Comments
are stored and saved";
- print "<INPUT TYPE=HIDDEN NAME=\"comments\" ";
- print "VALUE=\"$FORM{'comments'}\"></TD></TR>\n";
- print "<TR><TD> </TD><TD></TD></TR>\n";
- print "<TR><TD></TD><TD><INPUT TYPE=IMAGE
SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n";
- print "</TABLE>\n";
- print "</FORM>\n";
- print "</BODY></HTML>\n";
- exit;
-}
-
-sub no_email {
- print "Content-type: text/html\n\n";
- print "<HTML>\n";
- print "<TITLE>No E-Mail</TITLE>\n";
- print "<BODY BGCOLOR=#FFFFFF>\n";
- print "<CENTER><IMG
SRC=\"$base$gif2\"></CENTER><BR>\n";
- print "You forgot to fill in your E-mail address
or the e-mail addres you added\n";
- print "is invalid. We need this in order to\n";
- print "process your entry. Please add your E-mail
in the blank below.<p>\n";
- print "<TABLE CELLSPACING=3 CELLPADDING=2>\n";
- print "<FORM METHOD=POST ACTION=\"$cgi\">\n";
- print "<TR><TD><B>Name:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"name\" VALUE=\"$FORM{'name'}\" ";
- print "SIZE=50></TD></TR>\n";
- print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"email\" ";
- print "VALUE=\"$FORM{'email'}\"
SIZE=50></TD></TR>\n";
- print "<TR><TD><B>URL:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"url\" ";
- print "VALUE=\"$FORM{'url'}\"
SIZE=50></TD></TR>\n";
- print "<TR><TD><B>City:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"city\" ";
- print "VALUE=\"$FORM{'city'}\" SIZE=15>\n";
- print
"
";
- print "<B>State:</B><INPUT TYPE=TEXT
NAME=\"state\" value=\"$FORM{'state'}\" ";
- print "size=2>
<B>Country:</B> ";
- print "<INPUT TYPE=TEXT NAME=\"country\"
VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n";
- print "<TR><TD><B>Comments:</B></TD><TD>Comments
are stored and saved";
- print "<INPUT TYPE=HIDDEN NAME=\"comments\" ";
- print "VALUE=\"$FORM{'comments'}\"></TD></TR>\n";
- print "<TR><TD> </TD><TD></TD></TR>\n";
- print "<TR><TD></TD><TD><INPUT TYPE=IMAGE
SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n";
- print "</TABLE>\n";
- print "</FORM>\n";
- print "</BODY></HTML>\n";
- exit;
-}
-
-sub no_comments {
- print "Content-type: text/html\n\n";
- print "<HTML>\n";
- print "<TITLE>No Comments</TITLE>\n";
- print "<BODY BGCOLOR=#FFFFFF>\n";
- print "<CENTER><IMG
SRC=\"$base$gif2\"></CENTER><BR>\n";
- print "You forgot to fill in your Comment. We need
this in order to\n";
- print "process your entry. Please add a comment in
the blank below.<p>\n";
- print "<TABLE CELLSPACING=3 CELLPADDING=2>\n";
- print "<FORM METHOD=POST ACTION=\"$cgi\">\n";
- print "<TR><TD><B>Name:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"name\" ";
- print "VALUE=\"$FORM{'name'}\"
SIZE=50></TD></TR>\n";
- print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"email\" ";
- print "VALUE=\"$FORM{'email'}\"
SIZE=50></TD></TR>\n";
- print "<TR><TD><B>URL:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"url\" ";
- print "VALUE=\"$FORM{'url'}\"
SIZE=50></TD></TR>\n";
- print "<TR><TD><B>City:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"city\" ";
- print "VALUE=\"$FORM{'city'}\" SIZE=15>\n";
- print
"
";
- print "<B>State:</B><INPUT TYPE=TEXT
NAME=\"state\" value=\"$FORM{'state'}\" ";
- print "size=2>
<B>Country:</B> ";
- print "<INPUT TYPE=TEXT NAME=\"country\"
VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n";
- print "<TR><TD><B>Comments:</B></TD><TD><TEXTAREA
NAME=\"comments\" ";
- print "COLS=50 ROWS=7></TEXTAREA><p>\n";
- print "<TR><TD> </TD><TD></TD></TR>\n";
- print "<TR><TD></TD><TD><INPUT TYPE=IMAGE
SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n";
- print "</TABLE>\n";
- print "</FORM>\n";
- print "\n</BODY></HTML>\n";
- exit;
-}
-
-sub email_check {
- local($emails) = $_[0];
-
- if ($emails =~
/(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)|(\.$)/ ||
- ($emails !~ /^.+\@localhost$/ &&
- $emails !~
/^.+\@\[?(\w|[-.])+\.[a-zA-Z]{2,3}|[0-9]{1,3}\]?$/)) {
- return(0);
- }
-
- else {
- return(1);
- }
-}
-1;
\ No newline at end of file
+#!/usr/bin/perl
+#######################################################
+# Program - Guestbook - version 3.0
#
+# Updated April 16, 1998
#
+#
#
+# This is a Guestbook program that logs the Name,
#
+# E-mail, URL, City, State and a Comment. The
#
+# person, however, must enter their Name, E-mail,
#
+# and a Comment.
#
+#
#
+# MAKE SURE THAT YOU READ OVER THE TERMS OF AGREEMENT
#
+# BEFORE USING THIS SCRIPT. BY USING THIS SCRIPT,
#
+# YOU ARE AGREEING TO ABIDE BY THEM. HOWEVER, IF YOU
#
+# DON'T AGREE WITH IT, THEN DON'T USE MY SCRIPTS.
#
+# PLEASE READ THE 'README.TXT' FILE BEFORE
INSTALLING.#
+# KEEP IN MIND THAT JASON'S SCRIPTS & THE AESTHETIC
#
+# SURGERY CENTER SHALL NOT BE HELD LIABLE FOR ANY
#
+# DAMAGES THAT MAY OCCUR FROM DOWNLOADING AND/OR
#
+# INSTALLING MY PROGRAMS. USE AT YOUR OWN RISK!
#
+#
#
+# A Few liness came from Matt's Scripts @
#
+# http://www.worldwidemart.com/scripts
#
+#######################################################
+
+$directory_gbook =
"/usr/local/apache/htdocs/guestbook.html";
+$guestbook = "http://localhost/guestbook.html";
+$cgi = "http://localhost/cgi-bin/guest.cgi";
+$base = "http://localhost/cgi-bin";
+$gif1 = "add.gif";
+$gif2 = "miss.gif";
+$gif3 = "thanks.gif";
+$gif4 = "blueline.gif";
+
+$mail = 1;
+$mailto = 'shaunige@xxxxxxxxxxx';
+$OK_CHARS='-a-zA-Z0-9_.@';
+
+############################################################
+#Don't touch, these are necessary to run the script!
+$mailprog = '/usr/lib/sendmail';
+$entry = 1;
+$allow = 1;
+$date_command = "/usr/bin/date";
+############################################################
+$date = `$date_command +"%B %d, %Y"`; chop($date);
+
+read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
+@pairs = split(/&/, $buffer);
+foreach $pair (@pairs) {
+ ($name, $value) = split(/=/, $pair);
+ $value =~ tr/+/ /;
+ $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;
+ $value =~ s/[^$OK_CHARS]/_/go;
+
+ if ($allow != 1) {
+ s/[^$OK_CHARS]/_/go;
+ }
+
+ $FORM{$name} = $value;
+}
+
+########
+#Checks to see that the comments, name and e-mail
address were added!
+&no_comments unless $FORM{'comments'};
+&no_name unless $FORM{'name'};
+&no_email unless $FORM{'email'};
+
+######
+#Checks to see if the E-mail address is in the normal
form,
+#yourname@xxxxxxxxxxxxxxx
+
+if (&email_check($FORM{'email'})) {
+}
+else {
+&no_email;
+}
+
+#######
+#Opens 'guestbook.html' for writting
+open (FILE,"$directory_gbook") || die "Can't Open
$directory_gbook: $!\n";
+@LINES=<FILE>;
+close(FILE);
+$SIZE=@LINES;
+
+# Open Link File to Output
+open (GUEST,">$directory_gbook") || die "Can't Open
$directory_gbook: $!\n";
+
+for ($i=0;$i<=$SIZE;$i++) {
+ $_=$LINES[$i];
+ if (/<!--add-->/) {
+ if ($entry eq '1') {
+ print GUEST "<!--add-->\n";
+ }
+ print GUEST "<TABLE CELLPADDING=0
CELLSPACING=1 BORDER=0>\n";
+ if ( $FORM{'name'}) {
+ print GUEST "<TR><TD><B>Name:</B></TD>
<TD>$FORM{'name'} - $date</TD></TR>\n";
+ }
+ if ($FORM{'email'}) {
+ print GUEST "<TR><TD><B>E-mail:</B></TD>
<TD><A HREF=\"mailto:$FORM{'email'}\">
$FORM{'email'}</A></TD></TR>\n";
+ }
+ if ($FORM{'url'} ne "http://") {
+ print GUEST "<TR><TD><B>My URL:</B></TD>
<TD><A
HREF=$FORM{'url'}>$FORM{'url'}</A></TD></TR>\n";
+ }
+ else {
+ }
+ if ( $FORM{'city'} ){
+ print GUEST "<TR><TD><B>Location: </B></TD>
<TD>$FORM{'city'}";
+ print GUEST ",
$FORM{'state'}
$FORM{'country'}</TD></TR>\n";
+ }
+ print GUEST "<TR><TD
VALIGN=top><B>Comments: </B></TD> \n";
+ print GUEST
"<TD>$FORM{'comments'}</TD></TR></TABLE><P>\n";
+ print GUEST "<CENTER><IMG
SRC=\"$base$gif4\"></CENTER><BR>\n\n\n";
+ if ($entry eq '0') {
+ print GUEST "<!--add->\n";
+ }
+ }
+ else {
+ print GUEST $_;
+ }
+}
+close (GUEST);
+
+#########
+# Mail Option
+if ($mail eq '1') {
+ open (MAIL, "|$mailprog $mailto") || die "Can't
open $mailprog!\n";
+ print MAIL "Reply-to: $FORM{'email'}
($FORM{'name'})\n";
+ print MAIL "From: $FORM{'email'}
($FORM{'name'})\n";
+ print MAIL "Subject: Entry to YOUR Guestbook\n\n";
+ print MAIL "$FORM{'name'} <$FORM{'email'}> has
made an entry to your guestbook!\n";
+ print MAIL " - $date\n";
+ close (MAIL);
+}
+
+##############
+# Print Thank You HTML
+ print "Content-Type: text/html\n\n";
+ print "<HTML>\n";
+ print "<TITLE>Thank You</TITLE>\n";
+ print "<BODY BGCOLOR=#FFFFFF>\n";
+ print "<CENTER><IMG
SRC=\"$base$gif3\"></CENTER><BR>\n";
+ print "Thank you, your entry has been added to
our";
+ print "<A HREF=\"$guestbook\">
guestbook.</A><P>\n";
+ print "Here is what you submitted:<P>\n";
+ print "<CENTER><IMG
SRC=\"$base$gif4\"></CENTER><BR>\n";
+ if ( $FORM{'name'}) {
+ print "<B>Name:</B> $FORM{'name'} -
$date<BR>\n";
+ }
+ if ($FORM{'email'}) {
+ print "<B>My E-mail:</B> <a
href=\"mailto:$FORM{'email'}\">
$FORM{'email'}</a><BR>\n";
+ }
+ if ($FORM{'url'} ne "http://") {
+ print "<B>My URL:</B> <a
href=$FORM{'url'}>$FORM{'url'}</a><BR>\n";
+ }
+ else {
+ }
+ if ( $FORM{'city'} ){
+ print "<B>Location: </B>$FORM{'city'}";
+ print ",
$FORM{'state'}
$FORM{'country'}<BR>";
+ }
+ print "<BR><BR><B>Comments:</B>\n";
+ print "$FORM{'comments'}<BR>\n";
+ print "<CENTER><IMG
SRC=\"$base$gif4\"></CENTER><BR><BR>\n";
+ print "</body></html>\n";
+ exit;
+
+
+#######################
+# Subroutines
+sub no_name {
+ print "Content-type: text/html\n\n";
+ print "<HTML>\n";
+ print "<TITLE>No Name</TITLE>\n";
+ print "<BODY BGCOLOR=#FFFFFF>\n";
+ print "<CENTER><IMG
SRC=\"$base$gif2\"></CENTER><BR>\n";
+ print "You forgot to fill in your Name. We need
this in order to\n";
+ print "process your entry. Please add your name in
the blank below.<p>\n";
+ print "<TABLE CELLSPACING=3 CELLPADDING=2>\n";
+ print "<FORM METHOD=POST ACTION=\"$cgi\">\n";
+ print "<TR><TD><B>Name:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"name\" ";
+ print "SIZE=50></TD></TR>\n";
+ print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"email\" ";
+ print "VALUE=\"$FORM{'email'}\"
SIZE=50></TD></TR>\n";
+ print "<TR><TD><B>URL:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"url\" ";
+ print "VALUE=\"$FORM{'url'}\"
SIZE=50></TD></TR>\n";
+ print "<TR><TD><B>City:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"city\" ";
+ print "VALUE=\"$FORM{'city'}\" SIZE=15>\n";
+ print
"
";
+ print "<B>State:</B><INPUT TYPE=TEXT
NAME=\"state\" value=\"$FORM{'state'}\" ";
+ print "size=2>
<B>Country:</B> ";
+ print "<INPUT TYPE=TEXT NAME=\"country\"
VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n";
+ print "<TR><TD><B>Comments:</B></TD><TD>Comments
are stored and saved";
+ print "<INPUT TYPE=HIDDEN NAME=\"comments\" ";
+ print "VALUE=\"$FORM{'comments'}\"></TD></TR>\n";
+ print "<TR><TD> </TD><TD></TD></TR>\n";
+ print "<TR><TD></TD><TD><INPUT TYPE=IMAGE
SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n";
+ print "</TABLE>\n";
+ print "</FORM>\n";
+ print "</BODY></HTML>\n";
+ exit;
+}
+
+sub no_email {
+ print "Content-type: text/html\n\n";
+ print "<HTML>\n";
+ print "<TITLE>No E-Mail</TITLE>\n";
+ print "<BODY BGCOLOR=#FFFFFF>\n";
+ print "<CENTER><IMG
SRC=\"$base$gif2\"></CENTER><BR>\n";
+ print "You forgot to fill in your E-mail address
or the e-mail addres you added\n";
+ print "is invalid. We need this in order to\n";
+ print "process your entry. Please add your E-mail
in the blank below.<p>\n";
+ print "<TABLE CELLSPACING=3 CELLPADDING=2>\n";
+ print "<FORM METHOD=POST ACTION=\"$cgi\">\n";
+ print "<TR><TD><B>Name:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"name\" VALUE=\"$FORM{'name'}\" ";
+ print "SIZE=50></TD></TR>\n";
+ print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"email\" ";
+ print "VALUE=\"$FORM{'email'}\"
SIZE=50></TD></TR>\n";
+ print "<TR><TD><B>URL:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"url\" ";
+ print "VALUE=\"$FORM{'url'}\"
SIZE=50></TD></TR>\n";
+ print "<TR><TD><B>City:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"city\" ";
+ print "VALUE=\"$FORM{'city'}\" SIZE=15>\n";
+ print
"
";
+ print "<B>State:</B><INPUT TYPE=TEXT
NAME=\"state\" value=\"$FORM{'state'}\" ";
+ print "size=2>
<B>Country:</B> ";
+ print "<INPUT TYPE=TEXT NAME=\"country\"
VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n";
+ print "<TR><TD><B>Comments:</B></TD><TD>Comments
are stored and saved";
+ print "<INPUT TYPE=HIDDEN NAME=\"comments\" ";
+ print "VALUE=\"$FORM{'comments'}\"></TD></TR>\n";
+ print "<TR><TD> </TD><TD></TD></TR>\n";
+ print "<TR><TD></TD><TD><INPUT TYPE=IMAGE
SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n";
+ print "</TABLE>\n";
+ print "</FORM>\n";
+ print "</BODY></HTML>\n";
+ exit;
+}
+
+sub no_comments {
+ print "Content-type: text/html\n\n";
+ print "<HTML>\n";
+ print "<TITLE>No Comments</TITLE>\n";
+ print "<BODY BGCOLOR=#FFFFFF>\n";
+ print "<CENTER><IMG
SRC=\"$base$gif2\"></CENTER><BR>\n";
+ print "You forgot to fill in your Comment. We need
this in order to\n";
+ print "process your entry. Please add a comment in
the blank below.<p>\n";
+ print "<TABLE CELLSPACING=3 CELLPADDING=2>\n";
+ print "<FORM METHOD=POST ACTION=\"$cgi\">\n";
+ print "<TR><TD><B>Name:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"name\" ";
+ print "VALUE=\"$FORM{'name'}\"
SIZE=50></TD></TR>\n";
+ print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"email\" ";
+ print "VALUE=\"$FORM{'email'}\"
SIZE=50></TD></TR>\n";
+ print "<TR><TD><B>URL:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"url\" ";
+ print "VALUE=\"$FORM{'url'}\"
SIZE=50></TD></TR>\n";
+ print "<TR><TD><B>City:</B></TD><TD><INPUT
TYPE=TEXT NAME=\"city\" ";
+ print "VALUE=\"$FORM{'city'}\" SIZE=15>\n";
+ print
"
";
+ print "<B>State:</B><INPUT TYPE=TEXT
NAME=\"state\" value=\"$FORM{'state'}\" ";
+ print "size=2>
<B>Country:</B> ";
+ print "<INPUT TYPE=TEXT NAME=\"country\"
VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n";
+ print "<TR><TD><B>Comments:</B></TD><TD><TEXTAREA
NAME=\"comments\" ";
+ print "COLS=50 ROWS=7></TEXTAREA><p>\n";
+ print "<TR><TD> </TD><TD></TD></TR>\n";
+ print "<TR><TD></TD><TD><INPUT TYPE=IMAGE
SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n";
+ print "</TABLE>\n";
+ print "</FORM>\n";
+ print "\n</BODY></HTML>\n";
+ exit;
+}
+
+sub email_check {
+ local($emails) = $_[0];
+
+ if ($emails =~
/(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)|(\.$)/ ||
+ ($emails !~ /^.+\@localhost$/ &&
+ $emails !~
/^.+\@\[?(\w|[-.])+\.[a-zA-Z]{2,3}|[0-9]{1,3}\]?$/)) {
+ return(0);
+ }
+
+ else {
+ return(1);
+ }
+}
+1;
################ END HERE ################
The patch changes the script to instead sanitize input
based on an array of permitted characters, rather than
an array of disallowed ones.
~*~*~*~*~*~*~
Credit
~*~*~*~*~*~*~
This vulnerability was discovered by Shaun Colley /
shaun2k2 on 05/12/03.
Thank you for your time.
Shaun.
________________________________________________________________________
Download Yahoo! Messenger now for a chance to win Live At Knebworth DVDs
http://www.yahoo.co.uk/robbiewilliams