Advanced Shoutbox and MySql Shoutbox scripts

Today I have found an XSS hole in the “Advanced Shoutbox” script and the same XSS hole and an SQL injection vulnerability in the “MySql shoutbox” wich are available here: http://plohni.com/wb/content/php/Free_scripts.php

Advanced Shoutbox

index.php Line 37:
<form action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="post">

index.php Line 79-82:
if($display == "all"){
?><a href="<?php echo $_SERVER["PHP_SELF"]; ?>">View small shoutbox</a><?php
}else{
?><a href="<?php echo $_SERVER["PHP_SELF"]; ?>?show=all">View all shouts</a><?php
}

Very easy to exploit:
http://host/PATH_TO_SHOUTBOX/index.php/%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E%3Cspan

Affected Version: 1.0

MySql shoutbox

The XSS hole is the same as above, but on the lines 50, 55 and 97-99.

SQL Injection:
The index.php does not sanitize the users input on lines 105 and 106.

$input_name = $_POST["input_name"];
$input_text = $_POST["input_text"];
...
if($row["name"] != $input_name && $row["comment"] != $input_text){
mysql_query("INSERT INTO $db_table (name,comment) VALUES ('$input_name','$input_text');") or die(mysql_error()); //insert name and shout
}

Just send a POST request to the index.php. In the name field enter whatever you want and in the text field enter ‘+@@version+’ (including the ‘).

Affected Version: 1.0

Vendor has been informed on 27.06.2009

This post has been automatically published after two weeks since the vendor has been informed.

Save The Net

“The Federal Government is planning to force all Australian servers to filter internet traffic and block any material the Government deems ‘inappropriate’. Under the plan, the Government can add any ‘unwanted’ site to a secret blacklist.

Testing has already begun on systems that will slow our internet by up to 87%, make it more expensive, miss the vast majority of inappropriate content and accidentally block up to 1 in 12 legitimate sites. Our children deserve better protection – and that won’t be achieved by wasting millions on this deeply flawed system.”

Sign the petition here

SQLi: Netbeans Sample Project “AirAlliance”

Today i got a notice that NetBeans 6.8 will have support for the Symfony PHP Framework. Because I really like to work with that Framework and I never worked with Netbeans (I use Eclipse instead) I thought I should give it a try. First I downloaded, installed and opened the development version. After that i openened the “AirAlliance” sample project (it’s not a symfony project).

But what I saw was not what I’d expected:

web/confirmreservation.php Line 33-48:
if(isset($_REQUEST["IID"])){
$IID = $_REQUEST["IID"];
...
$itineraryData = getItinerary($IID);


web/itinerarymanager.php Line 329-341:
function getItinerary($IID){
 $connection = initDB();
 $query;
 if($IID == 0){
  $query = "SELECT * FROM Itinerary";
 }
 else{
  $query = "SELECT * FROM Itinerary WHERE IID='".$IID."'";
 }
 
 
 $result = mysql_query($query);
...

Ok, it’s just a sample project.
But how to learn the good things from the bad ones if you don’t know that they are bad?

I’m not sure if this says something about the IDE itself but I think I will continue my work with Eclipse…

Stalking Husbands…

Last night I received an email through the full disclosure mailinglist. It seems that it was written by a stalking ex husband (Mitch Nash; mtchnash@yahoo.com):

would like passwords for e mail, facebook, and my space for michelle.nash2009_at_yahoo.com, and my space passwords for marlee_michelle. (x wife and daughter) thank you, mitch nash

20 minutes after I received this message, i wrote the following email to Michelle:

Hi Michelle,

it seems that someone (your ex husband?) tries to get some hackers to break into your (and your daughters) internet accounts.

Have a look here: http://seclists.org/fulldisclosure/2009/Jun/0288.html

Maybee its better to change this passwords to totally random ones.

I just wanted to let you know…
If you have any questions, just send me an email…

Have a nice day,
PimpX

I hope she did read it. I did not get an reply so far…