------------------------------------------------------------------ - EXPL-A-2003-011 exploitlabs.com Advisory 011 ------------------------------------------------------------------ -= MegaBook =- exploitlabs.com June 29, 2003 Vunerability(s): ---------------- 1. XSS and Unchecked Input Length 2. default admin password 3. XSS via UA 4. Non secure on NT 5. Undocumented attack vectors Product: -------- megabook guestbook http://www.militerry.com/megabook/ Description of product: ----------------------- "Megabook is an online guestbook that allows users that come to your site to leave a message. These messages can also contain their e-mail addresses, websites.""everyone will be able to view the messages left by past users" ...and whatever XSS they care to leave from thier FAQ.. "Q: Will Megabook work on Windows NT servers? A: Megabook was only tested on UNIX-based servers. There is a possibility that it could work but from other people testing it seems that it won't." dunno who they use to test but it works fine on NT ( heck i'll beta ) Note: this is a very popular script, found easly by google: gbook.db all tests were run in a default state per the instalation instructions and confirmed in the wild. VUNERABILITY / EXPLOIT ====================== 1. XSS is executeable via the login field in admin.cgi and carries no length limit http://[test-ur]/megabook/admin.cgi 2. Default password is "megabook" http://www.militerry.com/megabook/files/20/setup.db ( note: meJyatGfwfBXQ = megabook ) the first two characters are always the correct character and sequence 3. User Agent XSS vulnerability in gbook.db contaminating the UA with XSS causes the script become readable / executable on guestbook viewing there are many more issues in this very popular script... I lost track. 4. Despite the vendor saying the script does not work on NT, it does with perl installed, but this configuration is not desired as all files become www readable. ( gbook.db contains email and ip addresses ) ( setup.db contains the not great hashed password and admin info ) 5. preview.txt , missing.txt and signgbook.cgi (sic) provide posting function ( not documented ) --------- snip of the cgi ------------- chmod(0666, "setup.db"); open (SETUP, "setup.db"); @setup = ; close(SETUP); chmod(0000, "setup.db"); -------- end snip-------------------- Local: ------ no Remote: ------- yes Vendor Fix: ----------- No fix on 0day Vendor Contact: --------------- megabook@militerry.com Concurrent with this advisory Credits: -------- Donnie Werner http://exploitlabs.com http://frame4.com