XGB 1.2 - Remote Form Field Input Validation Vulnerability

2014-07-01T00:00:00
ID SSV:75209
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                source: http://www.securityfocus.com/bid/4515/info

xGB is guestbook software. It is written in PHP and will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

xGB does not sufficiently validate input that is supplied via form fields. An attacker may, under some circumstances, exploit this condition to execute arbitrary commands via injection of PHP code into form fields.

First insert this code (<?php echo"delete datafile";?>) into a field like
"Ihr Name", "Ihre eMail", "Homepage-Name" or "Homepage-URL". After that you can see your text you have inserted into the "Text"-Field. Now insert the same code
into the same field as before. Now you get a error-message. If you now
insert a third message the whole datafile is deleted and only the last message is saved in it.