source: http://www.securityfocus.com/bid/4515/info xGB is guestbook software. It is written in PHP and will run on most Unix and Linux variants as well as Microsoft Windows operating systems. xGB does not sufficiently validate input that is supplied via form fields. An attacker may, under some circumstances, exploit this condition to execute arbitrary commands via injection of PHP code into form fields. First insert this code (<?php echo"delete datafile";?>) into a field like "Ihr Name", "Ihre eMail", "Homepage-Name" or "Homepage-URL". After that you can see your text you have inserted into the "Text"-Field. Now insert the same code into the same field as before. Now you get a error-message. If you now insert a third message the whole datafile is deleted and only the last message is saved in it.
Related ExploitsTrying to match OSVDBs (1): 86909
Other Possible E-DB Search Terms: XGB 1.2, XGB
|2005-02-08||XGB 2.0 - Authentication Bypass||Albania Security Clan|
|2007-08-29||xGB 2.0 - (xGB.php) Remote Security Bypass||DarkFuneral|
|2002-04-15||XGB Guestbook 1.2 - User-Embedded Scripting||Firehack|