SummaryMySQLguest by "Allwebscripts is a guestbook script that uses MySQL to store messages".
6 L3 ^9 B. A" |3 s8 K N7 e) y2 r" D6 l1 l& f
Allwebscripts' MySQLguest is vulnerable to a source code injection vulnerability in the AWSguest.php page. The vulnerability occurs as fields in the AWSguest.php page do not adequately sanitize HTML, script or PHP code.* m8 ]+ T7 Q. G1 n$ M
! d% v5 X, ?* N3 u
DetailsIn the AWSguest.php page, any of the following fields can be used to inject arbitrary HTML, JavaScript or PHP: "Name", "Email", "Homepage" and "Comments".
8 G- v" d, M6 B% i: o* P: @8 p3 ~7 U5 H0 T0 \9 `
Exploit:; `/ j6 |% z$ U- z; ?; |
E-mail: <?php echo <p>Hello World</p>
3 G5 G9 Y4 ]' u0 u; ~6 xHomepage: <script language=javascript>alert ("Messagebox")9 W9 h; V" x/ z% [ s; } E
Comments: <IFRAME SRC=www.computerknights.org>0 I3 G5 p% ]7 Y% ^+ @
- d$ c, ?1 u" J# S
Additional informationThe information has been provided by BliZZard.
IP卡
狗仔卡
发表于 2004-10-6 09:52
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
