[MajorSecurity #24] Fire-Mouse TopList <=v1.1 - Cross Site Scripting
[MajorSecurity #24] Fire-Mouse TopList <=v1.1 - Cross Site Scripting
----------------------------------------------------------------------------------------
Software: Fire-Mouse TopList v1.1
Version: 1.1
Type: Cross site scripting
Vendor: Fire-Mouse.com
Page: http://www.fire-mouse.com
TIMELINE:
----------------------------------------------
Discovered: July, 17th 2006
Contacted Vendor: July, 18th 2006
Made public: July, 22th 2006
Credits:
----------------------------------------------
Discovered by: David Vieira-Kurz
http://www.majorsecurity.de
Original Advisory:
----------------------------------------------
http://www.majorsecurity.de/advisory/major_rls24.txt
Affected Products:
----------------------------------------------
Fire-Mouse TopList v1.1 and prior
Description:
----------------------------------------------
Advanced Guestbook is a PHP-based guestbook script.
It includes many useful features such as preview, templates, e-mail
notification, picture upload, page spanning ,
html tags handling, smilies, advanced guestbook codes and language support.
The admin script lets you modify, view, and delete messages. Requires PHP4 and
MySQL.
Requirements:
----------------------------------------------
register_globals = On
Vulnerabilities:
----------------------------------------------
XSS:
Input passed directly to the "Seitenname" parameter in "add.php" is not
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
It works with a script code like this:
>'><script>alert('MajorSecurity')</script>
Solution:
----------------------------------------------
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to
ensure that html tags
are not going to be executed.
Example:
<?php
$pass = htmlentities($_POST['pass']);
echo htmlspecialchars("<script");
?>
Set "register_globals" to "Off".