Advanced Shoutbox and MySql Shoutbox scripts

July 11, 2009

Today I have found an XSS hole in the “Advanced Shoutbox” script and the same XSS hole and an SQL injection vulnerability in the “MySql shoutbox” wich are available here: http://plohni.com/wb/content/php/Free_scripts.php

Advanced Shoutbox

index.php Line 37:
<form action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="post">

index.php Line 79-82:
if($display == "all"){
?><a href="<?php echo $_SERVER["PHP_SELF"]; ?>">View small shoutbox</a><?php
?><a href="<?php echo $_SERVER["PHP_SELF"]; ?>?show=all">View all shouts</a><?php

Very easy to exploit:

Affected Version: 1.0

MySql shoutbox

The XSS hole is the same as above, but on the lines 50, 55 and 97-99.

SQL Injection:
The index.php does not sanitize the users input on lines 105 and 106.

$input_name = $_POST["input_name"];
$input_text = $_POST["input_text"];
if($row["name"] != $input_name && $row["comment"] != $input_text){
mysql_query("INSERT INTO $db_table (name,comment) VALUES ('$input_name','$input_text');") or die(mysql_error()); //insert name and shout

Just send a POST request to the index.php. In the name field enter whatever you want and in the text field enter ‘+@@version+’ (including the ‘).

Affected Version: 1.0

Vendor has been informed on 27.06.2009

This post has been automatically published after two weeks since the vendor has been informed.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: