########################################
[+]Private address book (add.php) Cross Site Scripting Vulnerability
[+]Discovered by SETI_explorer
[+]Visit: my-exploit.com
[+]Greetz: Gangster, Zer0f, Despot
########################################
[+]Description: Private address book is a simple engine to edit addresses. You need mysql database. Here is also search script, to search addresses in database. Simple for use.
[+]Download: http://www.hotscripts.com/jump.php?listing_id=62044&jump_type=1
[+]Script author: Iztok
Vulnerable C0de in add.php:
----------------------------------------
if($_POST['action'])
{
$name=$_POST['name'];
$surname=$_POST['surname'];
$nickname=$_POST['nickname'];
$address=$_POST['address'];
$number=$_POST['number'];
$email=$_POST['email'];
$info=$_POST['info'];
$query="INSERT INTO users (id, name, surname, nickname, address, number, email, info) VALUES (NULL, '$name', '$surname', '$nickname', '$address', '$number', '$email', '$info')";
$rez=mysql_query($query);
}
----------------------------------------
Into the "Info" field, an attacker could insert malicious code like <script>alert("Hello n00bs!");</script>
After that, at list.php page, everyone can see our messagge.
Solution:
$info=htmlspecialchars($_POST['info'], ENT_QUOTES);
######################################## |