hpm_guestbook.cgi JavaScript-Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: hpm_guestbook.cgi JavaScript-Injection
From: Christoph Burchert <chburchert@xxxxxx>
Date: 17 Feb 2005 16:18:02 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Hey dudes :)

Content:
     a) Problem
     b) Affected versions
     c) Exploiting
-------------------------------------------------------

A)
The HTML-function is usually activated in hpm_guestbook.cgi, so you can inject 
every HTML-code inclusive JavaScript.

B)
I don't know, sorry. In my version on a freespace hoster I couldn't see the 
version.

C)
You can post the following Proof of Concept code to understand the problem:

&lt;script language="JavaScript">alert("This guestbook is insecure: " + 
document.location.href);&lt;/script&gt;

If you're logged in as the admin of the guestbook and you want to see the posts 
you'll see that the password of your account is in the URL of hpm_login.cgi and 
the code shows you the URL. If you like you can make a code which sends the URL 
to a PHP-Script. Then you can get the password of the admin.
You have to keep your code in one line!

Cu
Chris

Prev by Date: [SECURITY] [DSA 686-1] New gftp packages fix directory traversal vulnerability
Next by Date: iDEFENSE Labs Website Launch
Previous by thread: [SECURITY] [DSA 686-1] New gftp packages fix directory traversal vulnerability
Next by thread: iDEFENSE Labs Website Launch
Index(es):
- Date
- Thread