SummaryMySQLguest by "Allwebscripts is a guestbook script that uses MySQL to store messages".
8 N2 U! I0 u. V+ b2 G; l. V ~5 }4 {5 e; }7 c* nAllwebscripts' MySQLguest is vulnerable to a source code injection vulnerability in the AWSguest.php page. The vulnerability occurs as fields in the AWSguest.php page do not adequately sanitize HTML, script or PHP code.- G/ E" G' U- B
0 y8 Z$ } i1 Z
DetailsIn the AWSguest.php page, any of the following fields can be used to inject arbitrary HTML, JavaScript or PHP: "Name", "Email", "Homepage" and "Comments".4 Q6 n" l, B7 h* p, T3 b, _
( ~7 C$ I- }9 N4 j% S+ @Exploit:6 l! \4 ]" T' `- M8 AE-mail: <?php echo <p>Hello World</p>3 I. i: H3 D ~: _% F) t7 U: L( ?: w
Homepage: <script language=javascript>alert ("Messagebox")
( B. V# y R0 O' x9 ^Comments: <IFRAME SRC=www.computerknights.org>
# S4 h: j B5 D \8 X0 b3 `+ f" n. w* q+ t& b
Additional informationThe information has been provided by BliZZard.
IP卡
狗仔卡
发表于 2004-10-6 09:52
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
