F-Secure
Tools
Sanusart Simple PHP Guestbook Script PHP Code Execution
| Report ID: | SA32643 |
| Source: | Secunia |
| Date of Discovery: | 11.11.2008 |
| Criticality: | Urgent |
| Affects: | Sanusart Simple PHP Guestbook Script |
| Compromise From: | From remote |
| Compromise Type: | System access |
Summary
A vulnerability in Sanusart Simple PHP Guestbook Script, which can be exploited by malicious people to compromise a vulnerable system.
Detailed Description
A vulnerability in Sanusart Simple PHP Guestbook Script, which can be exploited by malicious people to compromise a vulnerable system.
Input passed to the "message" parameter in act.php is not properly sanitised before it is written to the "messages.txt" file. This can be exploited to execute PHP by including PHP code in the message body.
Input passed to the "message" parameter in act.php is not properly sanitised before it is written to the "messages.txt" file. This can be exploited to execute PHP by including PHP code in the message body.
Solution
Update to latest version.
http://www.sanusart.com/php/FREEsimplePHPguestbook.zip
http://www.sanusart.com/php/FREEsimplePHPguestbook.zip