-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
ppp-design found the following cross-site-scripting-bug in phpGB:
Product: phpGB Affected Version: 1.10 and maybe all versions before Immune Version: 1.20 OS affected: all OS with php Vendor-URL: http://www.walzl.net Vendor-Status: informed, new version avaiable Security-Risk: high Remote-Exploit: Yes
phpGB ist a php/mysql based guestbook. Unfortunately no input is been filtered for malicious code segments. That leads to the possibility of a cross-site-scripting attack.
Enter the following guestbookentry:
"delete me <script>alert(document.cookie)</script>"
When an admin tries to delete this entry, a popup showing his session id will come up. Of course it is quite easy to submit this session id to blackhat's server instead of showing this popup.
phpGB 1.2 filters all inputs.
Because after a successfull attack an attacker is able to do anything an admin can do, the whole guestbook shall be deemed to be compromised. That is why we are rating the risk to high.
The author had fixed this bug allready, when we informed him.
All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.
This advisory can be found online: http://www.ppp-design.de/advisories.php
ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org
iD8DBQE9fEyVDXh7YLO1RRoRAnEgAJ4kwbAytd4g8i38ngNTQ0DE19XULACg5DfR j/Mes4I6IxqkiDrf2CYpEQY= =eTCl -----END PGP SIGNATURE-----