ag-xss.txt

`netVigilance Security Advisory #12  
  
Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities  
  
Description:  
Advanced Guestbook is a PHP-based guestbook script. It includes many useful features such as preview, templates, e-mail notification, picture upload, page spanning , html tags handling, smiles, advanced guestbook codes and language support. The admin script lets you modify, view, and delete messages. Requires PHP4 and MySQL.  
  
External References:   
Mitre CVE: CVE-2007-0605  
NVD NIST: CVE-2007-0605  
OSVDB: 33877   
  
Summary:   
Advanced Guestbook is a PHP-based guestbook with admin interface.  
Security problems in the product allows attackers to conduct XSS attacks   
This vulnerabilities can be exploited only when PHP register_globals is On.  
Advisory URL:   
http://www.netvigilance.com/advisory0012  
  
Release Date:  
05/07/2007  
  
Severity:  
Risk: Medium  
  
CVSS Metrics  
Access Vector: Remote  
Access Complexity: High  
Authentication: not-required  
Confidentiality Impact: Partial  
Integrity Impact: Partial  
Availability Impact: Partial   
Impact Bias: Normal  
CVSS Base Score: 5.6  
Target Distribution on Internet: Low  
Exploitability: Functional Exploit  
Remediation Level: Workaround  
Report Confidence: Uncorroborated   
Vulnerability Impact: Attack  
Host Impact: XSS Attack  
SecureScout Testcase ID:  
Vulnerable Systems:  
Advanced Guestbook 2.4.2  
Vulnerability Type:  
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the target, by sending a specially crafted request to the web-site. The vulnerable web-site is not the target of attack but is used as a tool for the hacker in the attack of the victim.  
Vendor Status:   
Contact with the Vendor was established but draft of the security advisory wasn't provided because the Vendor stopped responding to our emails on 9 March 2007. There is no official fix at the release of this Security Advisory  
Workaround:  
Set PHP register_globals to Off.  
Example:   
XSS Attack Vulnerability 1:  
REQUEST:  
http://[TARGET]/[guestbook-directory]/picture.php?size[0]=1&size[1]=1&img=1&picture=%22%3E%3Cscript%3Ealert(%22ok%22)%3C/script%3E%3Cimg%20src=%22  
  
REPLY:  
Will execute <script>alert(document.cookie)</script>  
XSS Attack Vulnerability 2:  
The remote attacker can avoid the .htaccess file protection and run any script or view the contents of the templates.  
Set in the COOKIES variable lang = "../[name of the script without php extension]" for example "../lib/admin.class"  
REQUEST:  
http://[TARGET]/[guestbook-directory]/index.php  
  
REPLY:  
The Server will execute the script  
  
  
Credits:   
Jesper Jurcenoks  
Co-founder netVigilance, Inc  
www.netvigilance.com  
  
`