------------------------------------------------------------- itcp advisory 7 advisories@it-checkpoint.net http://www.it-checkpoint.net/advisory/7.html April 3rd, 2002 ------------------------------------------------------------- Dynamic Guestbook V3.0 Cross Site Scripting and Arbitrary Command Execution under certain circumstances ---------------------------------------------- Affected program: Dynamic Guestbook V3.0 Vendor: www.gcf.de (German Computer Freaks) Vulnerability-Class: XSS / Arbitrary Command Execution under certain circumstances OS specific: as far as i know: no Problem-Type: remote Certified with: Windows 2000 and Xitami Webserver SUMMARY Dynamic Guestbook V3.0 doesn't check for bad user input (like PHP-Code or Java Scripts). Under certain circumstances it is possible to execute arbitrary commands on the server. DETAILS As you can see, in this script which is used to write the user input into a file (usually gb.data) the input is not tested for Cross Site Scripting or any malicious characters. ###################### quote source ############################ ##### Öffnen der Datei um zu lesen ##### open (GBDB, $in{gbdaten}); @inhalt = <GBDB>; close (GBDB); ##### Eintrag an den Anfang des Files schreiben ##### chomp($date); open (GBDB, ">>$gbdaten") || print "Konnte nicht in $gbdaten schreiben"; print GBDB "$in{name}:|:$in{mail}:|:$date:|:$ENV{'REMOTE_ADDR'}:|:$in{kommentar}\n"; foreach $zeile (@inhalt) { print GBDB $zeile; } close (GBDB); ################### /quote ########################## IMPACT Commands can possibly executed with the rights of the current user. Also, Cross Site Scripting is possible. EXPLOIT A proof of concept exploit will be released in an updated Advisory in the end of April at http://www.it-checkpoint.net/advisory/7.html ADDITIONAL INFORMATION Vendor has been contacted with an Advisory including a proof of concept exploit. Bug discovered and published by Florian Hobelsberger (BlueScreen) from www.IT-Checkpoint.net -------------------------------------------- DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
