Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAliaksandr HartsuyeuPACKETSTORM:43751
HistoryFeb 13, 2006 - 12:00 a.m.

EV0058.txt

2006-02-1300:00:00
Aliaksandr Hartsuyeu
packetstormsecurity.com
29

0.016 Low

EPSS

Percentile

86.1%

JSON
`New eVuln Advisory:  
phphg Guestbook Multiple Vulnerabilities  
http://evuln.com/vulns/58/summary.html  
  
--------------------Summary----------------  
eVuln ID: EV0058  
CVE: CVE-2006-0602 CVE-2006-0603 CVE-2006-0604  
Vendor: Hinton Design  
Vendor's Web Site: http://www.hintondesign.org  
Software: phphg Guestbook  
Sowtware's Web Site: http://www.hintondesign.org/downloads/view_cat.php?cat_id=45  
Versions: 1.2  
Critical Level: Moderate  
Type: Multiple Vulnerabilities  
Class: Remote  
Status: Unpatched. No reply from developer(s)  
Exploit: Available  
Solution: Not Available  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
-----------------Description---------------  
1. Authentication Bypass  
Vulnerable script: check.php  
  
There are two ways to bypass authentication:  
  
a) SQL Injection  
Variable $HTTP_POST_VARS[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.  
Condition: magic_quotes_gpc - off  
  
b) Cookie based authentication  
check.php script dont make password comparisson when identifying user by cookies  
  
  
2. Multiple Cross-Site Scripting  
Vulnerable script: signed.php  
Variables $HTTP_POST_VARS[location] $HTTP_POST_VARS[website] $HTTP_POST_VARS[message] are not properly sanitized. This can be used to post arbitrary html or script code.  
  
  
3. SQL Injections in administrator control panel  
Vulnerable scripts:  
admin/edit_smilie.php  
admin/add_theme.php  
admin/ban_ip.php  
admin/add_lang  
admin/edit_filter  
  
Variable $HTTP_GET_VARS[id] variable isn't properly sanitized. This can be used to make any SQL query by injecting arbitrary SQL code.  
Condition: magic_quotes_gpc - off  
  
--------------Exploit----------------------  
Available at: http://evuln.com/vulns/58/exploit.html  
  
1. Authentication Bypass  
  
a) SQL Injection  
url: http://host/hg/admin.php  
Username: ' or 1/*  
Password: any  
  
b) Cookie based authentication  
Cookie: loged=yes  
Cookie: username=admin  
Cookie: user_level=1  
  
  
2. Cross-Site Scripting Example.  
Url: http://host/hg/sign.php  
Location: <XSS>  
Website: javascript:alert(123)  
Message: <XSS>  
  
  
3. SQL Injection Example:  
http://host/hg/admin/edit_smilie.php? id=333'% 20union%20select% 201,2,3,4/*  
  
  
--------------Solution---------------------  
No Patch available.  
  
--------------Credit-----------------------  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
`

Related

securityvulns 1
prion 3
cve 3
securityvulns
securityvulns
[eVuln] phphg Guestbook Multiple Vulnerabilities
2006-02-13 00:00:00
prion
prion
Sql injection
2006-02-08 23:02:00
Cross site scripting
2006-02-08 23:02:00
Design/Logic Flaw
2006-02-08 23:02:00
cve
cve
CVE-2006-0604
2006-02-08 23:02:00
CVE-2006-0603
2006-02-08 23:02:00
CVE-2006-0602
2006-02-08 23:02:00

0.016 Low

EPSS

Percentile

86.1%

JSON
Related for PACKETSTORM:43751
securityvulns1prion3cve3