[ARL02-A08] BG Guestbook Cross Site Scripting Vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A08    ----/----------/+
+/-----------\----- salper@olympos.org  ---/-----------/+


Advisory Information
--------------------
Name               : BG Guestbook Cross Site Scripting 
Vulnerability
Software Package   : BG Guestbook
Vendor Homepage    : http://billyg.no-
ip.com:8080/bggb/
Vulnerable Versions: v1.0
Platforms          : PHP & MySQL dependent
Vulnerability Type : Input Validation Error
Vendor Contacted   : 15/03/2002
Vendor Replied     : waiting for reply (5 days left)
Prior Problems     : N/A
Current Version    : v1.1 (immune)


Summary
-------
BG GuestBook a php guestbook that utilizes mysql,  
has a Macromedia Flash interface and is also 
capable of using HTML only, where Flash is not 
supported. 

A Cross Site Scripting vulnerability exists in BG 
GuestBook. This would allow a remote attacker to 
send information to victims from untrusted web 
servers, and make it look as if the information 
came from the legitimate server.


Details
-------
Both the Flash and HTML only versions are 
vulnerable to Cross Site Scripting attacks.
All of the input fields (including name, email, AIM, 
location, website and message) in the posting form 
are vulnerable to this type of attack.


Example input to any of the above fields:
<script>alert("ALPERz was here!")</script>

After submitting this information, whenever anyone 
browses the guestbook's main page, the script will 
take effect.


Solution
--------
The vendor confirmed the vulnerability and released a 
new version on the same day of the bug's discovery.

I suggested the following as a workaround:
Strip HTML tags, and possibly other malicious code 
within "signgbook.php".
I suggest the following as a workaround;
At the beginning of "signgbook.php" add the lines 
below;

# Patch Start
$name= strip_tags ($name);
$email= strip_tags ($email);
$aimscr= strip_tags ($aimscr);
$website= strip_tags ($website);
$loc= strip_tags ($loc);
$msg= strip_tags ($msg);
# Patch End


Credits
-------
Discovered on 15, March, 2002 by 
Ahmet Sabri ALPER 
salper@olympos.org
http://www.olympos.org


References
----------
Product Web Page: http://billyg.no-ip.com:8080/bggb/
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux