SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link 
Number Two Link Number Two  Link Number One Link Number One Link Number Two Link 
Number Two   
                          Entire Site Advisories Calendar Columnists Elsewhere 
                          Guest Feature Infocus Library Links Mailing Lists 
                          (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- 
                          FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- 
                          FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF 
                          NEWS -- VULN-DEV News Products Services Tools Vulns








             
             




                         BUGTRAQ ARCHIVE 

                        [ Message Index ] [ Thread Index ][ Reply ]
                        [ prev Msg by Date ][ next Msg by Date ]


                              To: BugTraq
                              Subject: ECHU.ORG Alert #4: GuppY makes XSS 
                              attacks easy
                              Date: Sep 29 2003 4:23AM
                              Author: David Suzanne <das echu org>
                              Message-ID: 
                              <20030929030831.25275.qmail@mail.securityfocus.com>


--------------------------------
| GuppY makes XSS attacks easy |
--------------------------------


PROGRAM: GuppY
VULNERABLE VERSIONS: All versions under 2.4p1
IMMUNE VERSIONS: 2.4p1
SEVERITY: high


Tested version
==============
GuppY 2.4 on the official GuppY website.


Description
============ 
"GuppY is a small web portal, meant to be easy to use for the end user that you are,
and 
which does not require a database to run.This architecture allows then to install
it on 
almost all Internet web sites hosters (or almost all of them), the only preriquisite
being 
that your hoster has to provide the PHP scripting language facility." - GuppY website

GuppY use the postguest.php file for its forum and guestbook modules. This file contain

XSS holes, an attacker can execute code since [c=codecolor]text[/c] has no filter.


POSTGUEST.PHP
=============
Problems come from this part:

Line 196: $ptxt = preg_replace("/(\[c=(.*?)\])(.*?)(\[\/c\])/i", "<font style=\"color:\\2\">\\3</font>",$ptxt);
Line 197: $ptxt = preg_replace("/(\[c=(.*?)\])(.*?)(\[\/C\])/i", "<font style=\"color:\\2\">\\3</font>",$ptxt);
Line 198: $ptxt = preg_replace("/(\[C=(.*?)\])(.*?)(\[\/c\])/i", "<font style=\"color:\\2\">\\3</font>",$ptxt);
Line 199: $ptxt = preg_replace("/(\[C=(.*?)\])(.*?)(\[\/C\])/i", "<font style=\"color:\\2\">\\3</font>",$ptxt);

A badly disposed member can post a message containing code really easily in forum
and guestbook modules. Example:
(This proof-of-concept will show a window that can freeze your computer if using Internet
Explorer so take care)

[c=expression(alert('unsecure'))]texte[/c]


Solution
========
In order to avoid the vulnerability, add a filter that will block ;<>*()"'] caracters
to lines 196 to 199:

Line 196: $ptxt = preg_replace("/(\[c=([#a-zA-Z0-9]*)\])(.*?)(\[\/c\])/i", "<font
style=\"color:\\2\">\\3</font>",$ptxt);
Line 197: $ptxt = preg_replace("/(\[c=([#a-zA-Z0-9]*)\])(.*?)(\[\/C\])/i", "<font
style=\"color:\\2\">\\3</font>",$ptxt);
Line 198: $ptxt = preg_replace("/(\[C=([#a-zA-Z0-9]*)\])(.*?)(\[\/c\])/i", "<font
style=\"color:\\2\">\\3</font>",$ptxt);
Line 199: $ptxt = preg_replace("/(\[C=([#a-zA-Z0-9]*)\])(.*?)(\[\/C\])/i", "<font
style=\"color:\\2\">\\3</font>",$ptxt);


Vendor status
==============
GuppY developper's team has been contacted, a patch has been released tonight 
that fix the problem. Thanks to aldweb (freeguppy.org webmaster) for his quick answer.


Links
=====
GuppY: http://www.freeguppy.org
Patch: http://www.freeguppy.org/file/guppy_patch2.zip
Version 2.4p1: http://www.freeguppy.org/file/guppy.zip


This vulnerability's orginal paper can be found here: http://www.echu.org/articles/alertes/echu-
alert4.txt


David Suzanne (dAs)
das[a]echu.org
http://www.echu.org 


-----------------------------------------------------------------
ECHU.ORG is not responsible for the misuse of the information we 
provide through our security advisories. These advisories are a 
service to the professional security community. In no event shall 
ECHU.ORG be liable for any consequences whatsoever arising out of 
or in connection with the use or spread of this information.
-----------------------------------------------------------------





                  Want to link to this message? Use this URL: 
                  <http://www.securityfocus.com/archive/1/339491>
                  Disclaimer, Terms & Conditions


                  About this List


                  Featured Lists:

                  ARIS Users
                  bugtraq
                  bugtraq-es
                  bugtraq-french NEW
                  bugtraq-jp
                  firewalls
                  focus-ids
                  focus-ih
                  focus-linux
                  focus-ms
                  focus-sun
                  focus-unix-other
                  focus-virus
                  forensics
                  forensics-es
                  honeypots
                  incidents
                  libnet
                  pen-test
                  secevents
                  secpapers
                  secprog
                  sectools
                  secureshell
                  security-basics
                  security-management NEW
                  securityjobs
                  vpn
                  vuln-dev
                  webappsec

                  Newsletters:

                  sf-news
                  ms-secnews
                  linux-secnews


                  [ more . . . ]




                        Privacy Statement
                        Copyright © 1999-2003 SecurityFocus