<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place" downloadurl="http://www.5iantlavalamp.com/"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="City" downloadurl="http://www.5iamas-microsoft-com:office:smarttags"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName" downloadurl="http://www.microsoft.com"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Courier;
panose-1:2 7 4 9 2 2 5 2 4 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
h1
{margin:0in;
margin-bottom:.0001pt;
font-size:16.0pt;
font-family:"Trebuchet MS";
font-weight:bold;}
h2
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:14.0pt;
font-family:"Trebuchet MS";
font-weight:bold;}
h3
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Trebuchet MS";
font-weight:bold;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
code
{font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:595.3pt 841.9pt;
margin:56.7pt 42.5pt 56.7pt 85.05pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p><b><font size=3 face="Times New Roman"><span style='font-size:12.0pt;
font-weight:bold'>netVigilance Security Advisory #10</span></font></b><br>
<br>
<b><span style='font-weight:bold'>dt_guestbook version 1.0f XSS vulnerability</span></b>
<o:p></o:p></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'><br>
<b><span style='font-weight:bold'>Description:</span></b><br>
<a href="http://fedorov.vitalain.ru/guestdemo/">dt_guestbook</a> is a
fully-featured message board system with admin interface. Due to program flaws it
is possible for the remote attacker to conduct XSS attacks.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>The
remote attacker can convince the victim to open a specially crafted link that
is a trusted guestbook server and execute arbitrary code in the user’s
browser session.<br>
<br>
<b><span style='font-weight:bold'>External References:</span></b> <br>
Mitre CVE: CVE-2006-6487 </span></font><font face="Trebuchet MS"><span
style='font-family:"Trebuchet MS"'><a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6487">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6487</a>
</span></font><br>
NVD NIST: CVE-2006-6487 <font face="Trebuchet MS"><span style='font-family:
"Trebuchet MS"'>http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6487</span></font><br>
OSVDB: <a href="http://www.osvdb.com/displayvuln.php?osvdb_id=30787">30787</a> <font
face="Trebuchet MS"><span style='font-family:"Trebuchet MS"'>http://www.osvdb.com/displayvuln.php?osvdb_id=30787</span></font><br>
<br>
<b><span style='font-weight:bold'>Summary:</span></b> <br>
<a href="http://fedorov.vitalain.ru/guestdemo/">dt_guestbook</a> a
fully-featured message board system with admin interface. <o:p></o:p></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>A
security problem in the product allows attackers to conduct XSS attacks. <br>
This vulnerability can be exploited only when PHP register_globals is On.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'><br>
<b><span style='font-weight:bold'>Release Date: </span></b>January 15, 2007<br>
<br>
<br>
<b><span style='font-weight:bold'>Severity:</span></b><br>
<b><span style='font-weight:bold'>Risk:</span></b> Medium<br>
<b><span style='font-weight:bold'> </span></b><br>
<b><span style='font-weight:bold'>CVSS Metrics</span></b><br>
<b><span style='font-weight:bold'>Access Vector:</span></b> Remote<br>
<b><span style='font-weight:bold'>Access Complexity: </span></b>High<br>
<b><span style='font-weight:bold'>Authentication:</span></b> not-required<br>
<b><span style='font-weight:bold'>Confidentiality Impact: </span></b>Partial<br>
<b><span style='font-weight:bold'>Integrity Impact: </span></b>Partial<br>
<b><span style='font-weight:bold'>Availability Impact:</span></b> Partial<br>
<b><span style='font-weight:bold'>Impact Bias:</span></b> <st1:place w:st="on"><st1:City
w:st="on">Normal</st1:City></st1:place><br>
<b><span style='font-weight:bold'>CVSS Base Score: </span></b>5.6<br>
<b><span style='font-weight:bold'> </span></b><br>
<b><span style='font-weight:bold'>Target Distribution on Internet: </span></b>Low<br>
<b><span style='font-weight:bold'> </span></b><br>
<b><span style='font-weight:bold'>Exploitability: </span></b>Functional<b><span
style='font-weight:bold'> </span></b>Exploit<br>
<b><span style='font-weight:bold'>Remediation Level</span></b>: Workaround<br>
<b><span style='font-weight:bold'>Report Confidence: </span></b>Uncorroborated<br>
<b><span style='font-weight:bold'> </span></b><br>
<b><span style='font-weight:bold'>Vulnerability Impact: </span></b>Attack<br>
<b><span style='font-weight:bold'>Host Impact: </span></b>cross-site scripting.<br>
<br>
<br>
<b><span style='font-weight:bold'>SecureScout Testcase ID:</span></b><br>
TC 17940<br>
<br>
<br>
<o:p></o:p></span></font></p>
<p><b><font size=3 face="Times New Roman"><span style='font-size:12.0pt;
font-weight:bold'>Vulnerable Systems:</span></font></b><br>
dt_guestbook 1.0f.<br>
<br>
<b><span style='font-weight:bold'>Vulnerability Type:</span></b><br>
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to
the target, by sending a specially crafted request to the web-site. The
vulnerable web-site is not the target of attack but is used as a tool for the
hacker in the attack of the victim.<br>
<br>
<b><span style='font-weight:bold'>Vendor Status:</span></b> Author Alexander
Fedorov was notified on Dec 8 2006 and agreed to correct the XSS in his
product. He has failed to respond to emails or Chat since Dec 8 2006.<br>
.<o:p></o:p></p>
<p><b><font size=3 face="Times New Roman"><span style='font-size:12.0pt;
font-weight:bold'>Solution: </span></font></b>Patch Possibly Pending from
Vendor, please check <a href="http://fedorov.vitalain.ru/">http://fedorov.vitalain.ru</a>
for updates.<br>
.<o:p></o:p></p>
<p><b><font size=3 face="Times New Roman"><span style='font-size:12.0pt;
font-weight:bold'>Workaround:</span></font></b><br>
Set PHP register_globals to Off.<o:p></o:p></p>
<p><b><font size=3 face="Times New Roman"><span style='font-size:12.0pt;
font-weight:bold'>Example:</span></font></b> <br>
<font size=2 face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'>HTTP
REQUEST
http://[TARGET]/[dt_guestbook_v1-directory]/index.php?submit=1&error[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E<o:p></o:p></span></font></p>
<p><font size=2 face="Courier New"><span style='font-size:10.0pt;font-family:
"Courier New"'>REPLY<o:p></o:p></span></font></p>
<p><code><font size=2 face="Courier New"><span style='font-size:10.0pt'>...</span></font></code><font
size=2 face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></font></p>
<p><font size=2 face="Courier New"><span style='font-size:10.0pt;font-family:
"Courier New"'>will execute <script>alert(document.cookie)</script><o:p></o:p></span></font></p>
<p><code><font size=2 face="Courier New"><span style='font-size:10.0pt'>... </span></font></code><o:p></o:p></p>
<p class=MsoNormal><b><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-weight:bold'>Advisory URL: </span></font></b><a
href="http://www.netvigilance.com/advisory0009">http://www.netvigilance.com/advisory0009</a>
<b><span style='font-weight:bold'><o:p></o:p></span></b></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<b><span style='font-weight:bold'>Credits:</span></b> <br>
<st1:PersonName w:st="on">Jesper Jurcenoks</st1:PersonName><br>
Co-founder netVigilance, Inc<br>
</span><span lang=RU><a href="http://www.netvigilance.com"><span lang=EN-US>www.netvigilance.com</span></a></span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</body>
</html>