SummaryMySQLguest by "Allwebscripts is a guestbook script that uses MySQL to store messages".
+ X: o0 @) D8 e& U% ~' N0 X- g) h, N% D- @+ h4 ]* j" E) EAllwebscripts' MySQLguest is vulnerable to a source code injection vulnerability in the AWSguest.php page. The vulnerability occurs as fields in the AWSguest.php page do not adequately sanitize HTML, script or PHP code.4 S# ]7 U, f* q1 e3 ?; t3 R
- c' x1 s- L/ c" { DetailsIn the AWSguest.php page, any of the following fields can be used to inject arbitrary HTML, JavaScript or PHP: "Name", "Email", "Homepage" and "Comments".7 }( g. |0 Q' |, J; ^
4 D. m+ G( n, D/ T
Exploit:% x: \0 W% }; {( Y9 J5 H
E-mail: <?php echo <p>Hello World</p>
& t. e$ w& Z E1 GHomepage: <script language=javascript>alert ("Messagebox")" c4 m9 n, ~$ u) G, j0 h
Comments: <IFRAME SRC=www.computerknights.org>
) M6 \+ E/ e% i+ G7 `! `# \; @4 p( x9 d7 p8 J/ `) y% F2 | Additional informationThe information has been provided by BliZZard.
IP卡
狗仔卡
发表于 2004-10-6 09:52
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
