SummaryMySQLguest by "Allwebscripts is a guestbook script that uses MySQL to store messages".5 j' L6 A0 a W( g8 B- t
+ n9 S" V4 ?! X0 MAllwebscripts' MySQLguest is vulnerable to a source code injection vulnerability in the AWSguest.php page. The vulnerability occurs as fields in the AWSguest.php page do not adequately sanitize HTML, script or PHP code.: I$ R/ A5 y! w# Y
% n6 v0 T, J+ Q3 g
DetailsIn the AWSguest.php page, any of the following fields can be used to inject arbitrary HTML, JavaScript or PHP: "Name", "Email", "Homepage" and "Comments".
! j7 t1 A2 w, w. N3 N* X' B! d$ D* M7 X5 Q4 xExploit:& I9 S* Z& S" R, ^1 Z# {
E-mail: <?php echo <p>Hello World</p>* F, W# c+ ]7 s+ i0 |
Homepage: <script language=javascript>alert ("Messagebox")6 _9 J, U% X/ K8 V# f% F
Comments: <IFRAME SRC=www.computerknights.org>
! K) f4 ]+ {* [: E3 \2 A* P. I- I' j5 {+ n$ r' F1 s2 S! O* ]" c% P
Additional informationThe information has been provided by BliZZard.
IP卡
狗仔卡
发表于 2004-10-6 09:52
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
