Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Easy Guestbook Vulnerabilities
From: Arek Suroboyo <ar3su () yahoo com>
Date: Sat, 27 Jul 2002 12:58:55 -0700 (PDT)
AresU Advisory 
19/July/2002 

Easy Guestbook Vulnerabilities 

Severity        : High (Possible to edit member
homepage) 
Systems Affected: Easy Guestbook v1.0 
Vendor URL      : http://www.easyscripts.co.uk 
Vuln Type       : It does not use Access Validation to
delete the entries and login as Admin Control. 
Author          : AresU 
Greetz to       : Bosen, Tioeuy, eF73, SakitJiwa,
nimdA, Br0374l, FreshFirst, Algorithm, Mr.Padang 
Adv.URL         :
http://bosen.net/advisories/aresu-adv.002.txt

Summary 
======= 
1) Everyone can delete the entries and login as Admin
Control. 
2) Everyone can reconfigure Guestbook when they open
config.cgi and change Admin Password. 

Solution 
======== 
1) Add Access Validation on "delete_message" function
and "start" function. 

   Add admin.cgi with this code: 
   sub login_verify 
   { 
        chomp($FORM{'login_username'}); 
        chomp($FORM{'login_password'}); 
        if (!($FORM{'login_username'} eq $username &&
$FORM{'login_password'} eq $password)) 
        { 
          dienice("Sorry, but you have entered an
invalid username or password.  Please press the 'back'
button on your browser to return to the Login
Screen."); 
        } 
   } 
  
   And on the first line of "delete_message" function
and "start" function add this: 
   &login_verify; 

   And on the "start" function add this code in the
<FORM>: 
   <input type="hidden" name="login_username"
value="$FORM{'login_username'}"> 
   <input type="hidden" name="login_password"
value="$FORM{'login_password'}"> 
   
2) Delete config.cgi after you finish configure the
Guestbook.   


Acknowledgments 
=============== 
Vulnerability discovery, exploit code, and advisory by
AresU 

Vendor Response 
=============== 
Vendor has been contacted for about 10 days but they
still didn't fix yet. 

Exploit Code 
============ 
Change action in the html form.


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

Attachment: easyguestbook.zip
Description: easyguestbook.zip

  By Date           By Thread  

Current thread:
  • Easy Guestbook Vulnerabilities Arek Suroboyo (Jul 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]