From: "Florian Hobelsberger / BlueScreen" <genius28@gmx.de> To: <bugtraq@securityfocus.com> Subject: Several x-dev.de Guestbook and xNewsletter Vulnerabilities ( www.x-dev.de ) Date: Sun, 14 Apr 2002 23:40:06 +0200 - ------------------------------------------------------------ itcp advisory 12 advisories@it-checkpoint.net http://www.it-checkpoint.net/advisory/12.html April 14th, 2002 - ------------------------------------------------------------ Several x-dev.de Guestbook and xNewsletter Vulnerabilities ( www.x-dev.de ) - ------------------------- Affected programs: x-dev.de Guestbook, xNewsletter, the site x-dev.de itself URL: http://www.x-gfx.de/index.php?cat=php&page=./download/down.php Vendor: http://www.x-gfx.de / http://www.x-dev.de Vulnerability-Class: Arbitrary Command Execution under certain circumstances; Cross Site Scripting; Information Disclosure; Deletion of datafiles; OS specific: No Problem-Type: remote SUMMARY The Guestbook- and Newsletterscript by "x-development" are vulnerable to Cross Site Scripting Vulnerabilities. Futher, denial of service possibilities and a possible remote command execution vulnerability have been found. Description of x-dev.de Guestbook (loosely translated from german into english): "- Guestbook-script for your homepage - Fully customizable (header, footer & templates) - Data is saved via CSV (textfiles), no database necessary - large administration panel incl. bad-word-list - Smilies and UBC (Board-Code) possible to enable or disable - allow or disallow HTML in entries - fields: name, e-mail adress, homepage (optional), homepage title (optional) and entry" Description of xNewsletter (loosely translated from german into english): "- Sends e-mails to all e-mail adresses in the list - Your users will be informed and will come back to your site - Save data via CSV (textfile), no database necessary - Easy adjustment and administration - The user can delete his adress from the script himself - Can be inlcuded easily at other sites - For further information read the attached readme.txt" Description of www.x-dev.de (loosely translated from german into english): "This is the site of x-dev, an upcoming design-company." DETAILS FOR the Guestbook There exists no check if JavaScript is written down by the user within [IMG]-tags in the x-dev Guestbook. Futher it is possible to delete all data in the datafile via PHP-Code. Under certain circumstances it is also possible to execute arbitrary commands. Programming mistake in xGB.php line 51 and xGB_write.php line 45 and 46 (missing code) $text[$start] = eregi_replace("\[img\]([^\[]+)\[/img\]", "<img src=\"\\1\" border=\"0\">", $text[$start]); IMPACT This can result in Denial of Service of the guestbook, page forwarding, stealing of cookies could be possible, etc.... (in bugtraq was a really interesting discussion about several possibilities to exploit Cross Site Scripting Vulnerabilities. In the next two months we will also release a paper about it.) EXPLOIT Just write this in your guestbook entry: 1. [img]javascript:alert('This Guestbook allows Cross Site Scripting');[/img] or with this entry you can delete the hole datafile: 2. First insert this code (<?php echo"delete datafile";?>) into a field like "Ihr Name", "Ihre eMail", "Homepage-Name" or "Homepage-URL". After that you can see your text you have insert into the "Text"-Field. Now insert the same code into the same field as before. Now you get a error-message. If you now insert a third message the whole datafile is deleted and only the last message is saved in it. SOLUTION FOR 1. replace the line 51 with the following code: /* patch by Markus Köberle (Firehack), visit: www.it-checkpoint.net*/ $text[$start]=preg_replace("/\[img]([^\"\'\(\)]*)\[\/img\]/siU",'<img border="0" src="\1">',$text[$start]); SOLUTION FOR 2. replace the lines 45 and 46 with the following code: /*corrected by Markus (Firehack) K. visit www.it-checkpoint.net*/ # wurden ungültige Zeichen verwendet (% usw.)? $ung = "Ungültige Zeichen wie <,>,%,?,(,) wurden gefunden bitte wiederholen Sie ihre Eingaben!"; $newname = htmlspecialchars($newname); $newemail = htmlspecialchars($newemail); $newpagename = htmlspecialchars($newpagename); $newpageurl = htmlspecialchars($newpageurl); if(preg_match('/(\$|%|\(|\)|\?)/',$newname)){ echo $ung;exit; } if(preg_match('/(\$|%|\(|\)|\?)/',$newemail)){ echo $ung;exit; } if(preg_match('/(\$|%|\(|\)|\?)/',$newpagename)){ echo $ung;exit; } if(preg_match('/(\$|%|\(|\)|\?)/',$newpageurl)){ echo $ung;exit; } $newname = ereg_replace(" ", "!", $newname); include("./data/gb_data.dat"); DETAILS FOR xNewsletter-script: While subscribing to the newsletter, it is possible to subscribe the same e-mail adress more than once. For that you only have to insert a % between the adresses, for example: zb.:%testmail@localhost.de%testmail@localhost.de%testmail@localhost.de This is written like one adress to the datafile but when the file is read by the script the string is seperated by the %-characters. Since the adress testmail@localhost.de exists more than one time now, it is possible to use a foreign newsscript for e-mail bombing / mail flooding. You futher can add some more "features" with PHP. If you subscribe an e-mail adress like the following, it is not possible to delete the entry afterwards (except if you delete it directly from the data file), since it is not recognized as an adress anymore: <?php include("text.txt");?>testmail@localhost.de If you combine this with the previous described %-characters, you can insert 100 adress which have to be deleted in the datafile with an effort. Since all adresses are saved to an file that is readable for anyone, it is possible to "steal" e-mail adresses that could be almost seen as verified. This could be quite interesting for spammers. Under certain circumstances it is also possible to execute arbitrary commands. Programming mistake: No code for hostile characters existent. IMPACT It is possible to do easy, almost untraceable e-mail bombing. Also the file could be crashed. After that, all subscribed e-mails are being deleted. If you have 1000 e-mail adresses in the datafile... don't even think about the problems, if you don't have any backups. EXPLOIT 1. Just subscribe with the following code to create an almost undeletable entry: <?php inlcude("text.txt");?>testmail@localhost.de 2. Subscribe with the following adress to add an adress more than one time (testmail@localhost.de) %testmail@localhost.de%testmail@localhost.de%testmail@localhost.de SOLUTION FOR 1. and 2. insert the following code between line 91 and 92 /*corrected by Markus (Firehack) K. visit www.it-checkpoint.net*/ # wurden ungültige Zeichen verwendet (% usw.)? $unz = array("<", ">", "%", "(", ")", "?"); foreach ($unz as $ung){ if(strstr($email, $ung)){ echo "Dieses Zeichen ".$ung." ist nicht erlaubt!";exit;} } DETAILS FOR THE x-dev.de Site itself: By changing the variables "page" or "f", it is possible to read abitrary files. EXPLOIT Exploit will not be released for the public (it is really easy to exploit anyway). SOLUTION Sorry, we can't provide a solution since we didn't try to read the source... We think this is the job of the programmers themselves, not our job. ADDITIONAL INFORMATION Vendor has been contacted. Bugs discovered and published by Markus "Firehack" Köberle Firehack@IT-Checkpoint.net ) and by Florian "BlueScreen" Hobelsberger ( BlueScreen@IT-Checkpoint.net ) from www.IT-Checkpoint.net ----------------------- DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.