SummaryMySQLguest by "Allwebscripts is a guestbook script that uses MySQL to store messages".
3 x4 r- K8 h) ]$ |. g) g* _* z7 O4 }: R
Allwebscripts' MySQLguest is vulnerable to a source code injection vulnerability in the AWSguest.php page. The vulnerability occurs as fields in the AWSguest.php page do not adequately sanitize HTML, script or PHP code.1 F4 k8 _) @1 h% Y: \! e# @) x3 V
: ^! ~! q# q" I9 m. [' S& J* u DetailsIn the AWSguest.php page, any of the following fields can be used to inject arbitrary HTML, JavaScript or PHP: "Name", "Email", "Homepage" and "Comments".4 H) z' ?: N- m* q4 \. |
% q0 q9 @% g' Z9 U! y5 H- yExploit:# o9 |( d* J, Y/ ? {9 CE-mail: <?php echo <p>Hello World</p># x% A7 w; f& h4 @
Homepage: <script language=javascript>alert ("Messagebox")
% \$ P' f" c4 MComments: <IFRAME SRC=www.computerknights.org>
- X, o& x0 u" @4 |& D( y5 C2 l1 V7 i# y T Additional informationThe information has been provided by BliZZard.
IP卡
狗仔卡
发表于 2004-10-6 09:52
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
