[VIM] My Little Homepage - source verify of different products

Steven M. Christey coley at mitre.org
Mon Jan 30 19:55:33 EST 2006 

Not sure I fully agree with this:

>The name of the website is actually 'My Little Homepage', and there is
>'My Little Forum' and 'My Little Guestbook'. The name of the software
>is actually 'phpSQLiteCMS'. It's therefore not 'multiple product'


There are separate product downloads, and the same bbcode() function,
which is copied *almost* verbatim across products, but with slight
differences in each product.

A short list of products and relevant code follows.

- Steve


========================================================================
my little weblog

http://www.mylittlehomepage.net/my_little_weblog

textfile version:

  http://www.mylittlehomepage.net/downloads/weblog.zip


Looking at the weblog product, we have weblog.php, which includes:

>  $string = preg_replace("#\[link\](.+?)\[/link\]#is", "<a href=\"\\1\">\\1</a>", $string);
>  $string = preg_replace("#\[link=(.+?)\](.+?)\[/link\]#is", "<a href=\"\\1\">\\2</a>", $string);

Assuming an input of:

  [link]javascript:alert('hi')[/link]

It would appear to produce:

  <a href="javascript:alert('hi')">javascript:alert('hi')</a>

based on the first preg_replace() above.

This aligns with evuln's sample exploit.

** NOTE ** this is only based on source inspection and a non-100%
   complete understanding of PHP preg_replace()


========================================================================
my little guestbook

http://www.mylittlehomepage.net/my_little_guestbook

download:

  http://www.mylittlehomepage.net/downloads/guestbook.zip

relevant file:  guestbook.php - bbcode()


vulnerable code, lines 95 through 101:

>function bbcode($string)
>...
>  $string = preg_replace("#\[link\](.+?)\[/link\]#is", "<a href=\"\\1\">\\1</a>", $string);
>  $string = preg_replace("#\[link=(.+?)\](.+?)\[/link\]#is", "<a href=\"\\1\">\\2</a>", $string);


NOTE: a "diff" of this bbcode() function with my little forum's
bbcode() function shows a slight difference.


========================================================================
my little forum

http://www.mylittlehomepage.net/my_little_forum

download:

  http://www.mylittlehomepage.net/downloads/forum.zip

relevant file: functions.php

Relevant source, lines 193-201:

>function bbcode($string)
...
>  $string = preg_replace_callback("#\[link\](.+?)\[/link\]#is", "shorten_link", $string);
>  $string = preg_replace("#\[link=(.+?)\](.+?)\[/link\]#is", "<a href=\"\\1\">\\2</a>", $string);


The shorten_link() callback function merely takes long links and
replaces part of the link text with "...".


NOTE: obviously this implementation of bbcode() is slightly different
than the one in the other products, due to the use of
preg_replace_callback.

More information about the VIM mailing list