Search...

LS simple guestbook (v1) Remote Code Execution Vulnerability

2007-04-15T00:00:00

ID SSV:6617
Type seebug
Reporter Root
Modified 2007-04-15T00:00:00

Description

No description provided by source.

                                        
                                            
                                                ########################################################
#&nbsp;&nbsp;&nbsp;Special&nbsp;Greetings&nbsp;To&nbsp;-&nbsp;Timq,Warpboy,The-Maggot&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#
########################################################

File:&nbsp;index.php
Affects:&nbsp;LS&nbsp;simple&nbsp;guestbook&nbsp;(v1)
Date:&nbsp;15th&nbsp;April&nbsp;2007

Issue&nbsp;Description:
===========================================================================
LS&nbsp;simple&nbsp;guestbook&nbsp;fails&nbsp;to&nbsp;sanitize&nbsp;user&nbsp;input&nbsp;that&nbsp;it&nbsp;writes&nbsp;to&nbsp;the
posts.txt&nbsp;file&nbsp;when&nbsp;the&nbsp;user&nbsp;leaves&nbsp;a&nbsp;message,&nbsp;this&nbsp;file&nbsp;is&nbsp;then&nbsp;included
causing&nbsp;any&nbsp;php&nbsp;code&nbsp;within&nbsp;it&nbsp;to&nbsp;be&nbsp;run.
===========================================================================

Scope:
===========================================================================
An&nbsp;attacker&nbsp;can&nbsp;inject&nbsp;arbitrary&nbsp;php&nbsp;code&nbsp;and&nbsp;potentially&nbsp;execute&nbsp;commands
on&nbsp;the&nbsp;system.
===========================================================================

Recommendation:
===========================================================================
Add&nbsp;the&nbsp;following&nbsp;line&nbsp;of&nbsp;code&nbsp;in&nbsp;index.php:

$message&nbsp;=&nbsp;strip_tags($message);

just&nbsp;above:

if&nbsp;($message&nbsp;!=&nbsp;\"\")&nbsp;{$file&nbsp;=&nbsp;fopen(\"$dataf\",\"a\");
===========================================================================


Example:

name&nbsp;=&nbsp;Test
message&nbsp;=&nbsp;&lt;?php&nbsp;phpinfo();&nbsp;?&gt;


Discovered&nbsp;By:&nbsp;Gammarays

&nbsp;

JSON Vulners Source

Initial Source

{"sourceData": "\n ########################################################\r\n#   Special Greetings To - Timq,Warpboy,The-Maggot     #\r\n########################################################\r\n\r\nFile: index.php\r\nAffects: LS simple guestbook (v1)\r\nDate: 15th April 2007\r\n\r\nIssue Description:\r\n===========================================================================\r\nLS simple guestbook fails to sanitize user input that it writes to the\r\nposts.txt file when the user leaves a message, this file is then included\r\ncausing any php code within it to be run.\r\n===========================================================================\r\n\r\nScope:\r\n===========================================================================\r\nAn attacker can inject arbitrary php code and potentially execute commands\r\non the system.\r\n===========================================================================\r\n\r\nRecommendation:\r\n===========================================================================\r\nAdd the following line of code in index.php:\r\n\r\n$message = strip_tags($message);\r\n\r\njust above:\r\n\r\nif ($message != \\\"\\\") {$file = fopen(\\\"$dataf\\\",\\\"a\\\");\r\n===========================================================================\r\n\r\n\r\nExample:\r\n\r\nname = Test\r\nmessage = <?php phpinfo(); ?>\r\n\r\n\r\nDiscovered By: Gammarays\r\n\r\n \n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-6617", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-6617", "type": "seebug", "viewCount": 2, "references": [], "lastseen": "2017-11-19T22:06:17", "published": "2007-04-15T00:00:00", "cvelist": [], "id": "SSV:6617", "enchantments_done": [], "modified": "2007-04-15T00:00:00", "title": "LS simple guestbook (v1) Remote Code Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.8, "vector": "NONE", "modified": "2017-11-19T22:06:17", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T22:06:17", "rev": 2}, "vulnersScore": 0.8}}