SummaryMySQLguest by "Allwebscripts is a guestbook script that uses MySQL to store messages".
7 @- Z( Y9 M1 w- G0 H4 |: S& V k$ P y& m0 k1 A, |
Allwebscripts' MySQLguest is vulnerable to a source code injection vulnerability in the AWSguest.php page. The vulnerability occurs as fields in the AWSguest.php page do not adequately sanitize HTML, script or PHP code.
: A& W7 P4 r/ Q) w- U2 O% z9 {4 K7 x% X0 P3 M' \ DetailsIn the AWSguest.php page, any of the following fields can be used to inject arbitrary HTML, JavaScript or PHP: "Name", "Email", "Homepage" and "Comments".8 Y# ]6 e' q, N% n
7 T3 O& q/ \& R8 {Exploit:3 q% T3 O0 n2 V3 u' z' uE-mail: <?php echo <p>Hello World</p>
, m: F: V4 q5 V8 M0 AHomepage: <script language=javascript>alert ("Messagebox")
( K# r3 x* J! C! xComments: <IFRAME SRC=www.computerknights.org>/ F) w1 [0 B$ u/ u7 z) \' A
& b) |5 r3 L$ r2 C* M. y Additional informationThe information has been provided by BliZZard.
IP卡
狗仔卡
发表于 2004-10-6 09:52
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
