XGB 1.2 - Remote Form Field Input Validation

EDB-ID:

21382

CVE:



Author:

Firehack

Type:

webapps


Platform:

PHP

Date:

2002-04-14


source: https://www.securityfocus.com/bid/4515/info

xGB is guestbook software. It is written in PHP and will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

xGB does not sufficiently validate input that is supplied via form fields. An attacker may, under some circumstances, exploit this condition to execute arbitrary commands via injection of PHP code into form fields.

First insert this code (<?php echo"delete datafile";?>) into a field like
"Ihr Name", "Ihre eMail", "Homepage-Name" or "Homepage-URL". After that you can see your text you have inserted into the "Text"-Field. Now insert the same code
into the same field as before. Now you get a error-message. If you now
insert a third message the whole datafile is deleted and only the last message is saved in it.