SummaryMySQLguest by "Allwebscripts is a guestbook script that uses MySQL to store messages".
2 B# D1 }& ?; ~; k$ ~6 L8 [6 X" D. V9 L2 L: S) h& I9 T7 O$ ?Allwebscripts' MySQLguest is vulnerable to a source code injection vulnerability in the AWSguest.php page. The vulnerability occurs as fields in the AWSguest.php page do not adequately sanitize HTML, script or PHP code.
B8 I' ]- M+ a/ i1 K/ Y$ B) A4 f# f! ]+ ^" B- v( [) [
DetailsIn the AWSguest.php page, any of the following fields can be used to inject arbitrary HTML, JavaScript or PHP: "Name", "Email", "Homepage" and "Comments".7 r" {: r3 N& f, \2 s, R- G2 ^
+ u v. L* M6 l' w4 [Exploit:! u) A& ~, ^3 N( K
E-mail: <?php echo <p>Hello World</p>4 I/ ]- h( m" P t7 M
Homepage: <script language=javascript>alert ("Messagebox")
9 ~& g$ f8 m; @9 ^$ LComments: <IFRAME SRC=www.computerknights.org>- h! i2 i4 l' m
+ R( X+ ]+ q1 b M' O+ n& _ Additional informationThe information has been provided by BliZZard.
IP卡
狗仔卡
发表于 2004-10-6 09:52
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
