SummaryMySQLguest by "Allwebscripts is a guestbook script that uses MySQL to store messages".
- ]! g" c# s9 T% t! v* O* B6 l8 {, v( mAllwebscripts' MySQLguest is vulnerable to a source code injection vulnerability in the AWSguest.php page. The vulnerability occurs as fields in the AWSguest.php page do not adequately sanitize HTML, script or PHP code.4 ?0 I M' f$ d( d' ]8 `, q
5 d7 J* y6 |, G; v7 r- M: ]
DetailsIn the AWSguest.php page, any of the following fields can be used to inject arbitrary HTML, JavaScript or PHP: "Name", "Email", "Homepage" and "Comments".4 X2 z7 [. i- W$ X
1 t5 |/ i+ h# m& }3 l6 r# {1 C9 D6 U
Exploit:- S7 f1 {" z n- E {
E-mail: <?php echo <p>Hello World</p>/ Z g ^/ D- u) `- E' N
Homepage: <script language=javascript>alert ("Messagebox")
% F0 p' L" t% v) rComments: <IFRAME SRC=www.computerknights.org>0 M3 w. { D6 n8 m
! _" J& j9 [. r1 F! x2 l1 T- @ Additional informationThe information has been provided by BliZZard.
IP卡
狗仔卡
发表于 2004-10-6 09:52
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
