~*~*~*~*~*~*~ Introduction ~*~*~*~*~*~*~ Jason Maloney's Guestbook is a simple CGI script which is both an easy to use and easy to setup guestbook script. The script fails to carefully sanitize user input, such as certain dangerous metacharacters, resulting in an XSS vulnerability. ~*~*~*~*~*~*~ The Bug ~*~*~*~*~*~*~ During the user-input parsing routine, below, the guestbook script performs poor user-input sanitization, resulting in an XSS vulnerability. Here is the vulnerable code: ############### START HERE ############### read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); @pairs = split(/&/, $buffer); foreach $pair (@pairs) { ($name, $value) = split(/=/, $pair); $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $value =~ s/<!--(.|\n)*-->//g; if ($allow != 1) { $value =~ s/<([^>]|\n)*>//g; } $FORM{$name} = $value; } ################ END HERE ################ The code fails to properly check for and eliminate some dangerous metacharacters such as '<' and '>' in some places, thus resulting in the potential to embed pieces of javascript and other malicious code into form fields. ~*~*~*~*~*~*~ Impact ~*~*~*~*~*~*~ Allows malicious users to execute script as other users. ~*~*~*~*~*~*~ The Exploit ~*~*~*~*~*~*~ During the input of information into the fields in the guestbook message posting form, an attacker can simply insert malicious javascript code into a text field, such as the 'name' field. Simple insert '<script>alert("Vulnerable")</script>' into the 'name' field and post a message to test the vulnerability out. An alert window will appear with containing the string "Vulnerable". When a user visits the guestbook page, the popup will appear again, thus the potential for code execution is existant. An attacker can easily insert more malicious javascript depending on her intentions. ~*~*~*~*~*~*~ The Fix ~*~*~*~*~*~*~ The vulnerability can be fixed by applying the following simple diff patch via the command 'patch guest.cgi guest.patch'. (I'm sorry for the size of it - I'm new to diff and couldn't figure out how to decrease the size. Anybody with the answer, please kindly email me :-)) ############### START HERE ############### --- guest.cgi 2003-12-03 16:07:15.000000000 +0000 +++ guest1.cgi 2003-12-05 17:05:31.000000000 +0000 @@ -1,280 +1,282 @@ -#!/usr/local/bin/perl -####################################################### -# Program - Guestbook - version 3.0 # -# Updated April 16, 1998 # -# # -# This is a Guestbook program that logs the Name, # -# E-mail, URL, City, State and a Comment. The # -# person, however, must enter their Name, E-mail, # -# and a Comment. # -# # -# MAKE SURE THAT YOU READ OVER THE TERMS OF AGREEMENT # -# BEFORE USING THIS SCRIPT. BY USING THIS SCRIPT, # -# YOU ARE AGREEING TO ABIDE BY THEM. HOWEVER, IF YOU # -# DON'T AGREE WITH IT, THEN DON'T USE MY SCRIPTS. # -# PLEASE READ THE 'README.TXT' FILE BEFORE INSTALLING.# -# KEEP IN MIND THAT JASON'S SCRIPTS & THE AESTHETIC # -# SURGERY CENTER SHALL NOT BE HELD LIABLE FOR ANY # -# DAMAGES THAT MAY OCCUR FROM DOWNLOADING AND/OR # -# INSTALLING MY PROGRAMS. USE AT YOUR OWN RISK! # -# # -# A Few liness came from Matt's Scripts @ # -# http://www.worldwidemart.com/scripts # -####################################################### -$directory_gbook = "/usr/users/guestbook/guestbook.html"; -$guestbook = "http://www.yourdomain.com/guestbook/guestbook.html";; -$cgi = "http://www.yourdomain.com/guestbook/guest.cgi";; -$base = "http://www.yourdomain.com/guestbook/";; -$gif1 = "add.gif"; -$gif2 = "miss.gif"; -$gif3 = "thanks.gif"; -$gif4 = "blueline.gif"; - -$mail = 1; -$mailto = 'user@yourcompany.com'; - -############################################################ -#Don't touch, these are necessary to run the script! -$mailprog = '/usr/lib/sendmail'; -$entry = 1; -$allow = 1; -$date_command = "/usr/bin/date"; -############################################################ -$date = `$date_command +"%B %d, %Y"`; chop($date); - -read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); -@pairs = split(/&/, $buffer); -foreach $pair (@pairs) { - ($name, $value) = split(/=/, $pair); - $value =~ tr/+/ /; - $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; - $value =~ s/<!--(.|\n)*-->//g; - - if ($allow != 1) { - $value =~ s/<([^>]|\n)*>//g; - } - - $FORM{$name} = $value; -} - -######## -#Checks to see that the comments, name and e-mail address were added! -&no_comments unless $FORM{'comments'}; -&no_name unless $FORM{'name'}; -&no_email unless $FORM{'email'}; - -###### -#Checks to see if the E-mail address is in the normal form, -#yourname@yourcompany.com - -if (&email_check($FORM{'email'})) { -} -else { -&no_email; -} - -####### -#Opens 'guestbook.html' for writting -open (FILE,"$directory_gbook") || die "Can't Open $directory_gbook: $!\n"; -@LINES=<FILE>; -close(FILE); -$SIZE=@LINES; - -# Open Link File to Output -open (GUEST,">$directory_gbook") || die "Can't Open $directory_gbook: $!\n"; - -for ($i=0;$i<=$SIZE;$i++) { - $_=$LINES[$i]; - if (/<!--add-->/) { - if ($entry eq '1') { - print GUEST "<!--add-->\n"; - } - print GUEST "<TABLE CELLPADDING=0 CELLSPACING=1 BORDER=0>\n"; - if ( $FORM{'name'}) { - print GUEST "<TR><TD><B>Name:</B></TD> <TD>$FORM{'name'} - $date</TD></TR>\n"; - } - if ($FORM{'email'}) { - print GUEST "<TR><TD><B>E-mail:</B></TD> <TD><A HREF=\"mailto:$FORM{'email'}\"> $FORM{'email'}</A></TD></TR>\n"; - } - if ($FORM{'url'} ne "http://";) { - print GUEST "<TR><TD><B>My URL:</B></TD> <TD><A HREF=$FORM{'url'}>$FORM{'url'}</A></TD></TR>\n"; - } - else { - } - if ( $FORM{'city'} ){ - print GUEST "<TR><TD><B>Location: </B></TD> <TD>$FORM{'city'}"; - print GUEST ", $FORM{'state'} $FORM{'country'}</TD></TR>\n"; - } - print GUEST "<TR><TD VALIGN=top><B>Comments: </B></TD> \n"; - print GUEST "<TD>$FORM{'comments'}</TD></TR></TABLE><P>\n"; - print GUEST "<CENTER><IMG SRC=\"$base$gif4\"></CENTER><BR>\n\n\n"; - if ($entry eq '0') { - print GUEST "<!--add->\n"; - } - } - else { - print GUEST $_; - } -} -close (GUEST); - -######### -# Mail Option -if ($mail eq '1') { - open (MAIL, "|$mailprog $mailto") || die "Can't open $mailprog!\n"; - print MAIL "Reply-to: $FORM{'email'} ($FORM{'name'})\n"; - print MAIL "From: $FORM{'email'} ($FORM{'name'})\n"; - print MAIL "Subject: Entry to YOUR Guestbook\n\n"; - print MAIL "$FORM{'name'} <$FORM{'email'}> has made an entry to your guestbook!\n"; - print MAIL " - $date\n"; - close (MAIL); -} - -############## -# Print Thank You HTML - print "Content-Type: text/html\n\n"; - print "<HTML>\n"; - print "<TITLE>Thank You</TITLE>\n"; - print "<BODY BGCOLOR=#FFFFFF>\n"; - print "<CENTER><IMG SRC=\"$base$gif3\"></CENTER><BR>\n"; - print "Thank you, your entry has been added to our"; - print "<A HREF=\"$guestbook\"> guestbook.</A><P>\n"; - print "Here is what you submitted:<P>\n"; - print "<CENTER><IMG SRC=\"$base$gif4\"></CENTER><BR>\n"; - if ( $FORM{'name'}) { - print "<B>Name:</B> $FORM{'name'} - $date<BR>\n"; - } - if ($FORM{'email'}) { - print "<B>My E-mail:</B> <a href=\"mailto:$FORM{'email'}\"> $FORM{'email'}</a><BR>\n"; - } - if ($FORM{'url'} ne "http://";) { - print "<B>My URL:</B> <a href=$FORM{'url'}>$FORM{'url'}</a><BR>\n"; - } - else { - } - if ( $FORM{'city'} ){ - print "<B>Location: </B>$FORM{'city'}"; - print ", $FORM{'state'} $FORM{'country'}<BR>"; - } - print "<BR><BR><B>Comments:</B>\n"; - print "$FORM{'comments'}<BR>\n"; - print "<CENTER><IMG SRC=\"$base$gif4\"></CENTER><BR><BR>\n"; - print "</body></html>\n"; - exit; - - -####################### -# Subroutines -sub no_name { - print "Content-type: text/html\n\n"; - print "<HTML>\n"; - print "<TITLE>No Name</TITLE>\n"; - print "<BODY BGCOLOR=#FFFFFF>\n"; - print "<CENTER><IMG SRC=\"$base$gif2\"></CENTER><BR>\n"; - print "You forgot to fill in your Name. We need this in order to\n"; - print "process your entry. Please add your name in the blank below.<p>\n"; - print "<TABLE CELLSPACING=3 CELLPADDING=2>\n"; - print "<FORM METHOD=POST ACTION=\"$cgi\">\n"; - print "<TR><TD><B>Name:</B></TD><TD><INPUT TYPE=TEXT NAME=\"name\" "; - print "SIZE=50></TD></TR>\n"; - print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT TYPE=TEXT NAME=\"email\" "; - print "VALUE=\"$FORM{'email'}\" SIZE=50></TD></TR>\n"; - print "<TR><TD><B>URL:</B></TD><TD><INPUT TYPE=TEXT NAME=\"url\" "; - print "VALUE=\"$FORM{'url'}\" SIZE=50></TD></TR>\n"; - print "<TR><TD><B>City:</B></TD><TD><INPUT TYPE=TEXT NAME=\"city\" "; - print "VALUE=\"$FORM{'city'}\" SIZE=15>\n"; - print " "; - print "<B>State:</B><INPUT TYPE=TEXT NAME=\"state\" value=\"$FORM{'state'}\" "; - print "size=2> <B>Country:</B> "; - print "<INPUT TYPE=TEXT NAME=\"country\" VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n"; - print "<TR><TD><B>Comments:</B></TD><TD>Comments are stored and saved"; - print "<INPUT TYPE=HIDDEN NAME=\"comments\" "; - print "VALUE=\"$FORM{'comments'}\"></TD></TR>\n"; - print "<TR><TD> </TD><TD></TD></TR>\n"; - print "<TR><TD></TD><TD><INPUT TYPE=IMAGE SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n"; - print "</TABLE>\n"; - print "</FORM>\n"; - print "</BODY></HTML>\n"; - exit; -} - -sub no_email { - print "Content-type: text/html\n\n"; - print "<HTML>\n"; - print "<TITLE>No E-Mail</TITLE>\n"; - print "<BODY BGCOLOR=#FFFFFF>\n"; - print "<CENTER><IMG SRC=\"$base$gif2\"></CENTER><BR>\n"; - print "You forgot to fill in your E-mail address or the e-mail addres you added\n"; - print "is invalid. We need this in order to\n"; - print "process your entry. Please add your E-mail in the blank below.<p>\n"; - print "<TABLE CELLSPACING=3 CELLPADDING=2>\n"; - print "<FORM METHOD=POST ACTION=\"$cgi\">\n"; - print "<TR><TD><B>Name:</B></TD><TD><INPUT TYPE=TEXT NAME=\"name\" VALUE=\"$FORM{'name'}\" "; - print "SIZE=50></TD></TR>\n"; - print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT TYPE=TEXT NAME=\"email\" "; - print "VALUE=\"$FORM{'email'}\" SIZE=50></TD></TR>\n"; - print "<TR><TD><B>URL:</B></TD><TD><INPUT TYPE=TEXT NAME=\"url\" "; - print "VALUE=\"$FORM{'url'}\" SIZE=50></TD></TR>\n"; - print "<TR><TD><B>City:</B></TD><TD><INPUT TYPE=TEXT NAME=\"city\" "; - print "VALUE=\"$FORM{'city'}\" SIZE=15>\n"; - print " "; - print "<B>State:</B><INPUT TYPE=TEXT NAME=\"state\" value=\"$FORM{'state'}\" "; - print "size=2> <B>Country:</B> "; - print "<INPUT TYPE=TEXT NAME=\"country\" VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n"; - print "<TR><TD><B>Comments:</B></TD><TD>Comments are stored and saved"; - print "<INPUT TYPE=HIDDEN NAME=\"comments\" "; - print "VALUE=\"$FORM{'comments'}\"></TD></TR>\n"; - print "<TR><TD> </TD><TD></TD></TR>\n"; - print "<TR><TD></TD><TD><INPUT TYPE=IMAGE SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n"; - print "</TABLE>\n"; - print "</FORM>\n"; - print "</BODY></HTML>\n"; - exit; -} - -sub no_comments { - print "Content-type: text/html\n\n"; - print "<HTML>\n"; - print "<TITLE>No Comments</TITLE>\n"; - print "<BODY BGCOLOR=#FFFFFF>\n"; - print "<CENTER><IMG SRC=\"$base$gif2\"></CENTER><BR>\n"; - print "You forgot to fill in your Comment. We need this in order to\n"; - print "process your entry. Please add a comment in the blank below.<p>\n"; - print "<TABLE CELLSPACING=3 CELLPADDING=2>\n"; - print "<FORM METHOD=POST ACTION=\"$cgi\">\n"; - print "<TR><TD><B>Name:</B></TD><TD><INPUT TYPE=TEXT NAME=\"name\" "; - print "VALUE=\"$FORM{'name'}\" SIZE=50></TD></TR>\n"; - print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT TYPE=TEXT NAME=\"email\" "; - print "VALUE=\"$FORM{'email'}\" SIZE=50></TD></TR>\n"; - print "<TR><TD><B>URL:</B></TD><TD><INPUT TYPE=TEXT NAME=\"url\" "; - print "VALUE=\"$FORM{'url'}\" SIZE=50></TD></TR>\n"; - print "<TR><TD><B>City:</B></TD><TD><INPUT TYPE=TEXT NAME=\"city\" "; - print "VALUE=\"$FORM{'city'}\" SIZE=15>\n"; - print " "; - print "<B>State:</B><INPUT TYPE=TEXT NAME=\"state\" value=\"$FORM{'state'}\" "; - print "size=2> <B>Country:</B> "; - print "<INPUT TYPE=TEXT NAME=\"country\" VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n"; - print "<TR><TD><B>Comments:</B></TD><TD><TEXTAREA NAME=\"comments\" "; - print "COLS=50 ROWS=7></TEXTAREA><p>\n"; - print "<TR><TD> </TD><TD></TD></TR>\n"; - print "<TR><TD></TD><TD><INPUT TYPE=IMAGE SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n"; - print "</TABLE>\n"; - print "</FORM>\n"; - print "\n</BODY></HTML>\n"; - exit; -} - -sub email_check { - local($emails) = $_[0]; - - if ($emails =~ /(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)|(\.$)/ || - ($emails !~ /^.+\@localhost$/ && - $emails !~ /^.+\@\[?(\w|[-.])+\.[a-zA-Z]{2,3}|[0-9]{1,3}\]?$/)) { - return(0); - } - - else { - return(1); - } -} -1; \ No newline at end of file +#!/usr/bin/perl +####################################################### +# Program - Guestbook - version 3.0 # +# Updated April 16, 1998 # +# # +# This is a Guestbook program that logs the Name, # +# E-mail, URL, City, State and a Comment. The # +# person, however, must enter their Name, E-mail, # +# and a Comment. # +# # +# MAKE SURE THAT YOU READ OVER THE TERMS OF AGREEMENT # +# BEFORE USING THIS SCRIPT. BY USING THIS SCRIPT, # +# YOU ARE AGREEING TO ABIDE BY THEM. HOWEVER, IF YOU # +# DON'T AGREE WITH IT, THEN DON'T USE MY SCRIPTS. # +# PLEASE READ THE 'README.TXT' FILE BEFORE INSTALLING.# +# KEEP IN MIND THAT JASON'S SCRIPTS & THE AESTHETIC # +# SURGERY CENTER SHALL NOT BE HELD LIABLE FOR ANY # +# DAMAGES THAT MAY OCCUR FROM DOWNLOADING AND/OR # +# INSTALLING MY PROGRAMS. USE AT YOUR OWN RISK! # +# # +# A Few liness came from Matt's Scripts @ # +# http://www.worldwidemart.com/scripts # +####################################################### + +$directory_gbook = "/usr/local/apache/htdocs/guestbook.html"; +$guestbook = "http://localhost/guestbook.html";; +$cgi = "http://localhost/cgi-bin/guest.cgi";; +$base = "http://localhost/cgi-bin";; +$gif1 = "add.gif"; +$gif2 = "miss.gif"; +$gif3 = "thanks.gif"; +$gif4 = "blueline.gif"; + +$mail = 1; +$mailto = 'shaunige@yahoo.co.uk'; +$OK_CHARS='-a-zA-Z0-9_.@'; + +############################################################ +#Don't touch, these are necessary to run the script! +$mailprog = '/usr/lib/sendmail'; +$entry = 1; +$allow = 1; +$date_command = "/usr/bin/date"; +############################################################ +$date = `$date_command +"%B %d, %Y"`; chop($date); + +read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); +@pairs = split(/&/, $buffer); +foreach $pair (@pairs) { + ($name, $value) = split(/=/, $pair); + $value =~ tr/+/ /; + $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; + $value =~ s/[^$OK_CHARS]/_/go; + + if ($allow != 1) { + s/[^$OK_CHARS]/_/go; + } + + $FORM{$name} = $value; +} + +######## +#Checks to see that the comments, name and e-mail address were added! +&no_comments unless $FORM{'comments'}; +&no_name unless $FORM{'name'}; +&no_email unless $FORM{'email'}; + +###### +#Checks to see if the E-mail address is in the normal form, +#yourname@yourcompany.com + +if (&email_check($FORM{'email'})) { +} +else { +&no_email; +} + +####### +#Opens 'guestbook.html' for writting +open (FILE,"$directory_gbook") || die "Can't Open $directory_gbook: $!\n"; +@LINES=<FILE>; +close(FILE); +$SIZE=@LINES; + +# Open Link File to Output +open (GUEST,">$directory_gbook") || die "Can't Open $directory_gbook: $!\n"; + +for ($i=0;$i<=$SIZE;$i++) { + $_=$LINES[$i]; + if (/<!--add-->/) { + if ($entry eq '1') { + print GUEST "<!--add-->\n"; + } + print GUEST "<TABLE CELLPADDING=0 CELLSPACING=1 BORDER=0>\n"; + if ( $FORM{'name'}) { + print GUEST "<TR><TD><B>Name:</B></TD> <TD>$FORM{'name'} - $date</TD></TR>\n"; + } + if ($FORM{'email'}) { + print GUEST "<TR><TD><B>E-mail:</B></TD> <TD><A HREF=\"mailto:$FORM{'email'}\"> $FORM{'email'}</A></TD></TR>\n"; + } + if ($FORM{'url'} ne "http://";) { + print GUEST "<TR><TD><B>My URL:</B></TD> <TD><A HREF=$FORM{'url'}>$FORM{'url'}</A></TD></TR>\n"; + } + else { + } + if ( $FORM{'city'} ){ + print GUEST "<TR><TD><B>Location: </B></TD> <TD>$FORM{'city'}"; + print GUEST ", $FORM{'state'} $FORM{'country'}</TD></TR>\n"; + } + print GUEST "<TR><TD VALIGN=top><B>Comments: </B></TD> \n"; + print GUEST "<TD>$FORM{'comments'}</TD></TR></TABLE><P>\n"; + print GUEST "<CENTER><IMG SRC=\"$base$gif4\"></CENTER><BR>\n\n\n"; + if ($entry eq '0') { + print GUEST "<!--add->\n"; + } + } + else { + print GUEST $_; + } +} +close (GUEST); + +######### +# Mail Option +if ($mail eq '1') { + open (MAIL, "|$mailprog $mailto") || die "Can't open $mailprog!\n"; + print MAIL "Reply-to: $FORM{'email'} ($FORM{'name'})\n"; + print MAIL "From: $FORM{'email'} ($FORM{'name'})\n"; + print MAIL "Subject: Entry to YOUR Guestbook\n\n"; + print MAIL "$FORM{'name'} <$FORM{'email'}> has made an entry to your guestbook!\n"; + print MAIL " - $date\n"; + close (MAIL); +} + +############## +# Print Thank You HTML + print "Content-Type: text/html\n\n"; + print "<HTML>\n"; + print "<TITLE>Thank You</TITLE>\n"; + print "<BODY BGCOLOR=#FFFFFF>\n"; + print "<CENTER><IMG SRC=\"$base$gif3\"></CENTER><BR>\n"; + print "Thank you, your entry has been added to our"; + print "<A HREF=\"$guestbook\"> guestbook.</A><P>\n"; + print "Here is what you submitted:<P>\n"; + print "<CENTER><IMG SRC=\"$base$gif4\"></CENTER><BR>\n"; + if ( $FORM{'name'}) { + print "<B>Name:</B> $FORM{'name'} - $date<BR>\n"; + } + if ($FORM{'email'}) { + print "<B>My E-mail:</B> <a href=\"mailto:$FORM{'email'}\"> $FORM{'email'}</a><BR>\n"; + } + if ($FORM{'url'} ne "http://";) { + print "<B>My URL:</B> <a href=$FORM{'url'}>$FORM{'url'}</a><BR>\n"; + } + else { + } + if ( $FORM{'city'} ){ + print "<B>Location: </B>$FORM{'city'}"; + print ", $FORM{'state'} $FORM{'country'}<BR>"; + } + print "<BR><BR><B>Comments:</B>\n"; + print "$FORM{'comments'}<BR>\n"; + print "<CENTER><IMG SRC=\"$base$gif4\"></CENTER><BR><BR>\n"; + print "</body></html>\n"; + exit; + + +####################### +# Subroutines +sub no_name { + print "Content-type: text/html\n\n"; + print "<HTML>\n"; + print "<TITLE>No Name</TITLE>\n"; + print "<BODY BGCOLOR=#FFFFFF>\n"; + print "<CENTER><IMG SRC=\"$base$gif2\"></CENTER><BR>\n"; + print "You forgot to fill in your Name. We need this in order to\n"; + print "process your entry. Please add your name in the blank below.<p>\n"; + print "<TABLE CELLSPACING=3 CELLPADDING=2>\n"; + print "<FORM METHOD=POST ACTION=\"$cgi\">\n"; + print "<TR><TD><B>Name:</B></TD><TD><INPUT TYPE=TEXT NAME=\"name\" "; + print "SIZE=50></TD></TR>\n"; + print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT TYPE=TEXT NAME=\"email\" "; + print "VALUE=\"$FORM{'email'}\" SIZE=50></TD></TR>\n"; + print "<TR><TD><B>URL:</B></TD><TD><INPUT TYPE=TEXT NAME=\"url\" "; + print "VALUE=\"$FORM{'url'}\" SIZE=50></TD></TR>\n"; + print "<TR><TD><B>City:</B></TD><TD><INPUT TYPE=TEXT NAME=\"city\" "; + print "VALUE=\"$FORM{'city'}\" SIZE=15>\n"; + print " "; + print "<B>State:</B><INPUT TYPE=TEXT NAME=\"state\" value=\"$FORM{'state'}\" "; + print "size=2> <B>Country:</B> "; + print "<INPUT TYPE=TEXT NAME=\"country\" VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n"; + print "<TR><TD><B>Comments:</B></TD><TD>Comments are stored and saved"; + print "<INPUT TYPE=HIDDEN NAME=\"comments\" "; + print "VALUE=\"$FORM{'comments'}\"></TD></TR>\n"; + print "<TR><TD> </TD><TD></TD></TR>\n"; + print "<TR><TD></TD><TD><INPUT TYPE=IMAGE SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n"; + print "</TABLE>\n"; + print "</FORM>\n"; + print "</BODY></HTML>\n"; + exit; +} + +sub no_email { + print "Content-type: text/html\n\n"; + print "<HTML>\n"; + print "<TITLE>No E-Mail</TITLE>\n"; + print "<BODY BGCOLOR=#FFFFFF>\n"; + print "<CENTER><IMG SRC=\"$base$gif2\"></CENTER><BR>\n"; + print "You forgot to fill in your E-mail address or the e-mail addres you added\n"; + print "is invalid. We need this in order to\n"; + print "process your entry. Please add your E-mail in the blank below.<p>\n"; + print "<TABLE CELLSPACING=3 CELLPADDING=2>\n"; + print "<FORM METHOD=POST ACTION=\"$cgi\">\n"; + print "<TR><TD><B>Name:</B></TD><TD><INPUT TYPE=TEXT NAME=\"name\" VALUE=\"$FORM{'name'}\" "; + print "SIZE=50></TD></TR>\n"; + print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT TYPE=TEXT NAME=\"email\" "; + print "VALUE=\"$FORM{'email'}\" SIZE=50></TD></TR>\n"; + print "<TR><TD><B>URL:</B></TD><TD><INPUT TYPE=TEXT NAME=\"url\" "; + print "VALUE=\"$FORM{'url'}\" SIZE=50></TD></TR>\n"; + print "<TR><TD><B>City:</B></TD><TD><INPUT TYPE=TEXT NAME=\"city\" "; + print "VALUE=\"$FORM{'city'}\" SIZE=15>\n"; + print " "; + print "<B>State:</B><INPUT TYPE=TEXT NAME=\"state\" value=\"$FORM{'state'}\" "; + print "size=2> <B>Country:</B> "; + print "<INPUT TYPE=TEXT NAME=\"country\" VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n"; + print "<TR><TD><B>Comments:</B></TD><TD>Comments are stored and saved"; + print "<INPUT TYPE=HIDDEN NAME=\"comments\" "; + print "VALUE=\"$FORM{'comments'}\"></TD></TR>\n"; + print "<TR><TD> </TD><TD></TD></TR>\n"; + print "<TR><TD></TD><TD><INPUT TYPE=IMAGE SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n"; + print "</TABLE>\n"; + print "</FORM>\n"; + print "</BODY></HTML>\n"; + exit; +} + +sub no_comments { + print "Content-type: text/html\n\n"; + print "<HTML>\n"; + print "<TITLE>No Comments</TITLE>\n"; + print "<BODY BGCOLOR=#FFFFFF>\n"; + print "<CENTER><IMG SRC=\"$base$gif2\"></CENTER><BR>\n"; + print "You forgot to fill in your Comment. We need this in order to\n"; + print "process your entry. Please add a comment in the blank below.<p>\n"; + print "<TABLE CELLSPACING=3 CELLPADDING=2>\n"; + print "<FORM METHOD=POST ACTION=\"$cgi\">\n"; + print "<TR><TD><B>Name:</B></TD><TD><INPUT TYPE=TEXT NAME=\"name\" "; + print "VALUE=\"$FORM{'name'}\" SIZE=50></TD></TR>\n"; + print "<TR><TD><B>E-Mail:</B></TD><TD><INPUT TYPE=TEXT NAME=\"email\" "; + print "VALUE=\"$FORM{'email'}\" SIZE=50></TD></TR>\n"; + print "<TR><TD><B>URL:</B></TD><TD><INPUT TYPE=TEXT NAME=\"url\" "; + print "VALUE=\"$FORM{'url'}\" SIZE=50></TD></TR>\n"; + print "<TR><TD><B>City:</B></TD><TD><INPUT TYPE=TEXT NAME=\"city\" "; + print "VALUE=\"$FORM{'city'}\" SIZE=15>\n"; + print " "; + print "<B>State:</B><INPUT TYPE=TEXT NAME=\"state\" value=\"$FORM{'state'}\" "; + print "size=2> <B>Country:</B> "; + print "<INPUT TYPE=TEXT NAME=\"country\" VALUE=\"$FORM{'country'}\" SIZE=10></TR>\n"; + print "<TR><TD><B>Comments:</B></TD><TD><TEXTAREA NAME=\"comments\" "; + print "COLS=50 ROWS=7></TEXTAREA><p>\n"; + print "<TR><TD> </TD><TD></TD></TR>\n"; + print "<TR><TD></TD><TD><INPUT TYPE=IMAGE SRC=\"$base$gif1\" BORDER=NO></TD></TR>\n"; + print "</TABLE>\n"; + print "</FORM>\n"; + print "\n</BODY></HTML>\n"; + exit; +} + +sub email_check { + local($emails) = $_[0]; + + if ($emails =~ /(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)|(\.$)/ || + ($emails !~ /^.+\@localhost$/ && + $emails !~ /^.+\@\[?(\w|[-.])+\.[a-zA-Z]{2,3}|[0-9]{1,3}\]?$/)) { + return(0); + } + + else { + return(1); + } +} +1; ################ END HERE ################ The patch changes the script to instead sanitize input based on an array of permitted characters, rather than an array of disallowed ones. ~*~*~*~*~*~*~ Credit ~*~*~*~*~*~*~ This vulnerability was discovered by Shaun Colley / shaun2k2 on 05/12/03. Thank you for your time. Shaun. ________________________________________________________________________ Download Yahoo! Messenger now for a chance to win Live At Knebworth DVDs http://www.yahoo.co.uk/robbiewilliams