SummaryMySQLguest by "Allwebscripts is a guestbook script that uses MySQL to store messages".
# L9 u5 Q! s. q7 t. H6 B9 ~! G7 k, s1 zAllwebscripts' MySQLguest is vulnerable to a source code injection vulnerability in the AWSguest.php page. The vulnerability occurs as fields in the AWSguest.php page do not adequately sanitize HTML, script or PHP code.
/ O: I: @7 v% x- @8 r9 c2 d8 w7 Y! k$ J DetailsIn the AWSguest.php page, any of the following fields can be used to inject arbitrary HTML, JavaScript or PHP: "Name", "Email", "Homepage" and "Comments".
% @5 x% X( `. k2 a0 r7 t7 k8 L- Z$ @2 P& S7 [- @Exploit:4 O* n2 F e0 [# ^- D1 r* D0 LE-mail: <?php echo <p>Hello World</p>
; R$ {5 ~0 D/ O: F4 ?2 O, {Homepage: <script language=javascript>alert ("Messagebox")
0 m0 b' q6 x6 C" @Comments: <IFRAME SRC=www.computerknights.org>& W( i( x9 V+ J3 R
7 ^" t$ U3 _: n$ ?
Additional informationThe information has been provided by BliZZard.
IP卡
狗仔卡
发表于 2004-10-6 09:52
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
