OpenGuestbook Cross Site Scripting & SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: OpenGuestbook Cross Site Scripting & SQL Injection
From: simo64@xxxxxxxxx
Date: 25 Jun 2006 07:07:33 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Produce     : Open Guestbook 0.5
Site        : http://sourceforge.net/projects/openguestbook
Discovred by: Moroccan Security Team (Simo64)
Greetz to   : And All Friends :)

Details :
=========

[+]Cross Site Scripting
************************

  [-]vulnerable code in header.php on line 5

  [1]  <html>
  [2]
  [3]  <head>
  [4]
  [5]  <title><? echo "$title"; ?></title>
  
   --------------------
   
   Exploit : http://localhost/openguestbook/header.php?title=</title>[XSS]
   
  [-] Solution
  
  edit line 5 on header.php
  
  [5] <title><? echo htmlspecialchars($title); ?></title>
   
   
[+]SQL Injection 
******************

   [-]vulnerable code near lines 23 - 28
   
   [23]  if (empty($offset)) {
   [24]  $offset=0;
   [25]  }
   [26]  
   [27]  // get results
   [28]  $result=mysql_query("SELECT * FROM $tentries ORDER BY ID DESC limit 
$offset,$limit");

   [-]Exploit : http://localhost/openguestbook/view.php?offset=[SQL]

   [-]Solution :
   
   edit line 23 in view.php 
   
   [23]  if (empty($offset) OR !is_numeric($offset) {
   [24]  $offset=0;

   
[+] Contact :
**************

simo64[at]gmail[dot]com

Prev by Date: Amazon and Msn vulnerabilities
Next by Date: Amazon, MSN vulns and.. Yes, we know! Most sites have vulnerabilities
Previous by thread: Amazon and Msn vulnerabilities
Next by thread: Amazon, MSN vulns and.. Yes, we know! Most sites have vulnerabilities
Index(es):
- Date
- Thread