- ------------------------------------------------------------
itcp advisory 12 advisories@it-checkpoint.net
http://www.it-checkpoint.net/advisory/12.html
April 14th, 2002
- ------------------------------------------------------------



Several x-dev.de Guestbook and xNewsletter Vulnerabilities ( www.x-dev.de )
- -------------------------

Affected programs:  x-dev.de Guestbook, xNewsletter, the site x-dev.de
itself
URL: http://www.x-gfx.de/index.php?cat=php&page=./download/down.php
Vendor: http://www.x-gfx.de / http://www.x-dev.de

Vulnerability-Class: Arbitrary Command Execution under certain
circumstances; Cross Site Scripting; Information Disclosure; Deletion of
datafiles;

OS specific: No
Problem-Type: remote


SUMMARY

The Guestbook- and Newsletterscript  by "x-development" are vulnerable to
Cross Site Scripting Vulnerabilities.
Futher, denial of service possibilities and a possible remote command
execution vulnerability have been found.

Description of x-dev.de Guestbook (loosely translated from german into
english):

"- Guestbook-script for your homepage
- Fully customizable (header, footer & templates)
- Data is saved via CSV (textfiles), no database necessary
- large administration panel incl. bad-word-list
- Smilies and UBC (Board-Code) possible to enable or disable
- allow or disallow HTML in entries
- fields: name, e-mail adress, homepage (optional), homepage title
(optional) and entry"


Description of xNewsletter (loosely translated from german into english):

"- Sends e-mails to all e-mail adresses in the list
- Your users will be informed and will come back to your site
- Save data via CSV (textfile), no database necessary
- Easy adjustment and administration
- The user can delete his adress from the script himself
- Can be inlcuded easily at other sites
- For further information read the attached readme.txt"


Description of www.x-dev.de (loosely translated from german into english):

"This is the site of x-dev, an upcoming design-company."



DETAILS FOR the Guestbook

There exists no check if JavaScript is written down by the user within
[IMG]-tags in the x-dev Guestbook. Futher it is possible to delete all data
in the datafile via PHP-Code.
Under certain circumstances it is also possible to execute arbitrary
commands.


Programming mistake in xGB.php line 51 and xGB_write.php line 45 and 46
(missing code)
$text[$start] = eregi_replace("\[img\]([^\[]+)\[/img\]", "<img src=\"\\1\"
border=\"0\">", $text[$start]);


IMPACT

This can result in Denial of Service of the guestbook, page forwarding,
stealing of cookies could be possible, etc....
(in bugtraq was a really interesting discussion about several possibilities
to exploit Cross Site Scripting Vulnerabilities. In the next two months we
will also release a paper about it.)


EXPLOIT
Just write this in your guestbook entry:

1. [img]javascript:alert('This Guestbook allows Cross Site
Scripting');[/img]

or with this entry you can delete the hole datafile:

2. First insert this code (<?php echo"delete datafile";?>) into a field like
   "Ihr Name", "Ihre eMail", "Homepage-Name" or "Homepage-URL"
. After that
you can see
   your text you have insert into the "Text"-Field. Now insert the same code
   into the same field as before. Now you get a error-message. If you now
insert a third message
   the whole datafile is deleted and only the last message is saved in it.


SOLUTION FOR 1.

replace the line 51 with the following code:

/* patch by Markus Köberle (Firehack), visit: www.it-checkpoint.net*/
$text[$start]=preg_replace("/\[img]([^\"\'\(\)]*)\[\/img\]/siU",'<img
border="0" src="\1">',$text[$start]);

SOLUTION FOR 2.

replace the lines 45 and 46 with the following code:

/*corrected by Markus (Firehack) K. visit www.it-checkpoint.net*/
    # wurden ungültige Zeichen verwendet (% usw.)?
    $ung = "Ungültige Zeichen wie <,>,%,?,(,) wurden gefunden bitte
wiederholen Sie ihre Eingaben!";
    $newname = htmlspecialchars($newname);
    $newemail = htmlspecialchars($newemail);
    $newpagename = htmlspecialchars($newpagename);
    $newpageurl = htmlspecialchars($newpageurl);
    if(preg_match('/(\$|%|\(|\)|\?)/',$newname)){
    echo $ung;exit;
    }
    if(preg_match('/(\$|%|\(|\)|\?)/',$newemail)){
    echo $ung;exit;
    }
    if(preg_match('/(\$|%|\(|\)|\?)/',$newpagename)){
    echo $ung;exit;
    }
    if(preg_match('/(\$|%|\(|\)|\?)/',$newpageurl)){
    echo $ung;exit;
    }
    $newname = ereg_replace(" ", "!", $newname);
    include("./data/gb_data.dat");



DETAILS FOR  xNewsletter-script:

While subscribing to the newsletter, it is possible to subscribe the same
e-mail adress more than once.
For that you only have to insert a % between the adresses, for example:

zb.:%testmail@localhost.de%testmail@localhost.de%testmail@localhost.de

This is written like one adress to the datafile but when the file is read by
the script the string is seperated by the %-characters.
Since the adress testmail@localhost.de exists more than one time now, it is
possible to use a foreign newsscript for
e-mail bombing / mail flooding.

You futher can add some more "features" with PHP. If you subscribe an e-mail
adress like the following, it is not possible to delete
the entry afterwards (except if you delete it directly from the data file),
since it is not recognized as an adress anymore:
<?php include("text.txt");?>testmail@localhost.de

If you combine this with the previous described %-characters, you can insert
100 adress which have to be deleted in the datafile with an effort.

Since all adresses are saved to an file that is readable for anyone, it is
possible to "steal" e-mail adresses that could be almost seen as verified.
This could be quite interesting for spammers.

Under certain circumstances it is also possible to execute arbitrary
commands.


Programming mistake: No code  for hostile characters existent.


IMPACT

It is possible to do easy, almost untraceable e-mail bombing. Also the file
could be crashed.
After that, all subscribed e-mails are being deleted.
If you have 1000 e-mail adresses in the datafile... don't even think about
the problems, if you don't have any backups.


EXPLOIT

1.  Just subscribe with the following code to create an almost undeletable
entry:
   <?php inlcude("text.txt");?>testmail@localhost.de

2.  Subscribe with the following adress to add an adress more than one time
(testmail@localhost.de)
   %testmail@localhost.de%testmail@localhost.de%testmail@localhost.de


SOLUTION FOR 1. and 2.

insert the following code between line 91 and 92

/*corrected by Markus (Firehack) K. visit www.it-checkpoint.net*/
# wurden ungültige Zeichen verwendet (% usw.)?
$unz = array("<", ">", "%", "(", ")", "?"
);
foreach ($unz as $ung){
   if(strstr($email, $ung)){ echo "Dieses Zeichen ".$ung." ist nicht
erlaubt!";exit;}
 




DETAILS FOR THE x-dev.de Site itself:

By changing the variables "page" or "f", it is possible to read abitrary
files.

EXPLOIT

Exploit will not be released for the public (it is really easy to exploit
anyway).


SOLUTION
Sorry, we can't provide a solution since we didn't try to read the source...
We think this is the job of  the programmers themselves, not our job.

ADDITIONAL INFORMATION
Vendor has been contacted.



Bugs discovered and published by Markus "Firehack" Köberle
 Firehack@IT-Checkpoint.net ) and
by Florian "BlueScreen"  Hobelsberger ( BlueScreen@IT-Checkpoint.net ) from
www.IT-Checkpoint.net



-----------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.