.:. Simple one-file guestbook 1.0 .:. Date: ----- August 08, 2006 Vendor: ------- http://www.xeroxer.com/index.php?page=3 Description: ------------ This is my simple one-file guestbook. It's made of one .php file (the script) and one .txt file (the entrystorage file). It uses no database just a flat textfile. It is made so it's easy to include in any page. It has admin login where you can edit and remove entrys. Demo can be found at: http://php.xeroxer.com/simple_one-file_guestbook/demo/guestbook.php Any help needed please mail me at: webmaster@xxxxxxxxxxx Version: -------- <= 1.0 Vulnerability(ies) / Exploit(s): -------------------------------- I malicious people can Bypass Administrator Pannel to delete all of the messages in the GuestBook because there is no control about admin credential. PoC(s): ------- An attacker can use this URL via the browser to delete all messages: http://host/[path]/guestbook.php?id=4 Vendor Status: -------------- [August 08, 2006] Informed! Solution: --------- [August 08, 2006] No solution available from the vendor. You can edit the source code and control the administratior credential. Credit: ------- omnipresent omnipresent[at]email[dot]it http://it.security.netsons.org
