MicroGuestBook Remote XSS Attack

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MicroGuestBook Remote XSS Attack
From: omnipresent@xxxxxxxx
Date: 21 Jul 2006 22:54:40 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

.:. MicroGuestBook Remote XSS Bug .:.

Date:
-----

July 2006, 22

Product:
--------

MicroGuestBook Latest Version

Vendor:
-------

http://www.phptoys.com

Description:
------------

Micro guestbook is a MySQL based guestbook script with a CSS based attractive 
interface. It can store the name, date, 
message, location, web and email information of the visitor.

Exploit(s)/Advisory(ies):
-------------------------

The application is vulnerable to a Remote XSS Bug. The field 'name' and 
'comment' are not properly sanitized before being
used, so a malicious people can exploit this vulnerability to inject arbitrary 
HTML and script code.

If you look the code in add.php you can see:

[...]

if (isset($_POST['submitBtn'])) {
         $name     = (isset($_POST['name'])) ? $_POST['name'] : '' ;
         $comment  = (isset($_POST['comment'])) ? $_POST['comment'] : '' ;
         $location = (isset($_POST['location'])) ? $_POST['location'] : '' ;
         $website  = (isset($_POST['website'])) ? $_POST['website'] : '' ;
         $email    = (isset($_POST['email'])) ? $_POST['email'] : '' ;
         $actDate  = date("Y-m-d H:i:s");
         
         //Minimum name and comment length.
         if ((strlen($name) > 2) && (strlen($comment) > 5)){
             $sql = "INSERT INTO guestbook 
(name,text,insertdate,location,web,email) VALUES (";
             $sql .= 
"'".$name."','".$comment."','".$actDate."','".$location."','".$website."','".$email."')";
             $MyDb->f_ExecuteSql($sql);

[...]

And in index.php you will see:

[...]

 <div id="name"><?php echo $row['name']; ?></div>
            <div id="info">
              <div id="infoicons">
                <?php
                   if (strlen($row['web']) > 5) echo '<a 
href="http://'.$row['web'].'"><img src="style/www.gif"></a>';
                   if (strlen($row['email']) > 5) echo '<a 
href="mailto:'.$row['email'].'"><img src="style/mail.gif"></a>';
                ?>
              </div>
              <div id="infodate"><?php echo $row['insertdate']; ?></div>
            </div>
          </div>
          <div id="base">
            <div id="icon"><?php echo $row['location']; ?></div>
            <div id="text"><?php echo nl2br($row['text']); ?></div>

[...]

PoC(s):
-------

You can put your own HTML or script code in the field name or comment. Try:

<script>alert("XSS")</script>

Vendor Status:
--------------

[July 2006, 22] Vendor contacted!

Patches:
--------

[July 2006, 22] At the moment there is no patch available from the vendor. You 
can take a look at this site if a patch will
be posted up:

http://www.phptoys.com

If you don't wanna wait, edit the source code to ensure  that input is properly 
sanitised.

Credits:
--------

omnipresent
omnipresent[at]email[dot]it
http://it.security.netsons.org

Prev by Date: [MajorSecurity #24] Fire-Mouse TopList <=v1.1 - Cross Site Scripting
Next by Date: Low security hole affecting IPCalc's CGI wrapper
Previous by thread: [MajorSecurity #24] Fire-Mouse TopList <=v1.1 - Cross Site Scripting
Next by thread: Low security hole affecting IPCalc's CGI wrapper
Index(es):
- Date
- Thread