LS simple guestbook - arbitrary code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: LS simple guestbook - arbitrary code execution
From: jd2k2000@xxxxxxxxxxx
Date: 15 Apr 2007 03:53:22 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

########################################################
#   Special Greetings To - Timq,Warpboy,The-Maggot     #
########################################################

File: index.php
Affects: LS simple guestbook (v1)
Date: 15th April 2007

Issue Description:
===========================================================================
LS simple guestbook fails to sanitize user input that it writes to the 
posts.txt file when the user leaves a message, this file is then included 
causing any php code within it to be run.
===========================================================================

Scope:
===========================================================================
An attacker can inject arbitrary php code and potentially execute commands 
on the system.
===========================================================================

Recommendation:
===========================================================================
Add the following line of code in index.php: 

$message = strip_tags($message);

just above: 

if ($message != "") {$file = fopen("$dataf","a");
===========================================================================


Example:

name = Test
message = <?php phpinfo(); ?>


Discovered By: Gammarays

Prev by Date: Re: [exploits] RPC vuln in DNS Server (fwd)
Next by Date: Joomla/Mambo Jambook v1.0 beta7 Rfi Vuln.
Previous by thread: Re: [exploits] RPC vuln in DNS Server (fwd)
Next by thread: Joomla/Mambo Jambook v1.0 beta7 Rfi Vuln.
Index(es):
- Date
- Thread