SummaryMySQLguest by "Allwebscripts is a guestbook script that uses MySQL to store messages".
* d7 m6 N) D' p5 ]( y9 m0 m1 N0 y* A. b: C; O- I* M3 F0 X
Allwebscripts' MySQLguest is vulnerable to a source code injection vulnerability in the AWSguest.php page. The vulnerability occurs as fields in the AWSguest.php page do not adequately sanitize HTML, script or PHP code.& Y' u/ C* u/ B# A9 a6 [
7 E* ? ?" S/ c$ ]$ d$ a$ s5 R DetailsIn the AWSguest.php page, any of the following fields can be used to inject arbitrary HTML, JavaScript or PHP: "Name", "Email", "Homepage" and "Comments".% V( \& T3 q( V! w+ L
0 Y, A) p( j- \5 c" wExploit:4 d3 `! q; w. rE-mail: <?php echo <p>Hello World</p>( I) W+ \5 s! C p' ~' l6 W# w
Homepage: <script language=javascript>alert ("Messagebox")' c- G6 Z; g9 q; P
Comments: <IFRAME SRC=www.computerknights.org>
m" x, I% p( f) z* t" S4 |5 _$ O9 U+ U# Z/ j& A6 K/ u5 O
Additional informationThe information has been provided by BliZZard.
IP卡
狗仔卡
发表于 2004-10-6 09:52
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
