Spot the Vuln - Grammys - Cross Site Scripting

Details

Affected Software: Corpse C&C

Fixed in Version: ?

Issue Type: XSS

Original Code: Found Here

Fairly straightforward XSS bug here. This week's bug can be found in the index.php file for the Corpse C&C. Specifically, the index file located at Corpse/info/socks/index.php. Buried deep within the print statement starting on line 30 are two unsanitized, unescaped variables ($states and $countrys). Both $states and $countrys are taken directly from $_POST parameters and assigned to php variables. Those php variables are then used to build HTML markup. Buried within a large print statement, a little difficult to spot, but this bug is classic XSS.

<?php 

include_once('geoipcity.inc');
include_once('../mysqllog.php');
 
$countrys = $_POST['countrys'];
$states = $_POST['states'];
 
if ($countrys == "") {
 $countrys = "all";
}
if ($states == "") {
 $states = "all";
}
 
$date = date("m-d");
list($month, $day) = explode('-', $date);
 
print "<style><!- a:link{color:#404040;text-decoration:none}  a:visited{color:#909090;text-decoration:none}  a:active{color:#000000;text-decoration:none}  a:hover{color:#000000;text-decoration:none}  input{BACKGROUND-COLOR:#66CF96;BORDER-BOTTOM:#ffffff 1px solid;BORDER-LEFT:#ffffff 1px solid;BORDER-RIGHT:#ffffff 1px solid;BORDER-TOP:#ffffff 1px solid;COLOR:#000000;FONT-FAMILY:Tahoma,sans-serif;FONT-SIZE:12px}  -></style>
  <table align="center" border="1"><tbody><tr><td><form action="index.php" method="post"><b>Select by country</b></form></td><td><select name="countrys"><option value="all">All countries";
 
$j = 1;
while ($GEOIP_COUNTRY_CODES[$j] != "") {
 print "</option><option value="$GEOIP_COUNTRY_CODES[$j]">$GEOIP_COUNTRY_NAMES[$j]\r\n";
 $j++;
}
 
print "</option></select></td><td>
<input type="submit" value="submit"></td></tr><tr><td>
  <form action="index.php" method="post"><b>Select by state</b></form></td><td><select name="states"><option value="all">all</option><option value="AK">AK</option><option value="AL">AL</option><option value="AR">AR</option><option value="AS">AS</option><option value="AZ">AZ</option><option value="CA">CA</option><option value="CO">CO
  </option><option value="CT">CT</option><option value="DC">DC</option><option value="DE">DE</option><option value="FL">FL</option><option value="GA">GA</option><option value="HI">HI</option><option value="IA">IA</option><option value="ID">ID</option><option value="IL">IL</option><option value="IN">IN
  </option><option value="KS">KS</option><option value="KY">KY</option><option value="LA">LA</option><option value="MA">MA</option><option value="MD">MD</option><option value="ME">ME</option><option value="MI">MI</option><option value="MN">MN</option><option value="MO">MO</option><option value="MP">MP
  </option><option value="MS">MS</option><option value="MT">MT</option><option value="NC">NC</option><option value="ND">ND</option><option value="NE">NE</option><option value="NH">NH</option><option value="NJ">NJ</option><option value="NM">NM</option><option value="NV">NU</option><option value="NY">NY
  </option><option value="OH">OH</option><option value="OK">OK</option><option value="OR">OR</option><option value="PA">PA</option><option value="PR">PR</option><option value="RI">RI</option><option value="SC">SC</option><option value="SD">SD</option><option value="TN">TN</option><option value="TX">TX
  </option><option value="UT">UT</option><option value="VA">VA</option><option value="VI">VI</option><option value="VT">VT</option><option value="WA">WA</option><option value="WI">WI</option><option value="WV">WV</option><option value="WY">WY</option></select>
  </td><td>
<input type="submit" value="submit"></td></tr></tbody></table><b><center>
Current country selected:$countrys
Current state selected:$states</center></b>

  <table width="100%" cellspacing="0"><tbody><tr><td><table width="100%" bgcolor="#FFFFFF" cellspacing="1"><tbody><tr><td align="center" bgcolor="#66CF96"><b>List</b></td></tr></tbody></table></td></tr>
  <tr><td>";
 
$stime = mktime();
$stime = $stime - 86400;
$link = mysql_connect($mysql_host, $mysql_login, $mysql_pass) or die("Could not connect:" . mysql_error());
mysql_select_db($mysql_db, $link) or die("Could not select:" . mysql_error());
$query = 'SELECT * FROM `socks` WHERE `update` >' . $stime . ' ORDER BY `update` DESC';
$result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());
 
$tot = 0;
while ($row = mysql_fetch_assoc($result)) {
 $prms[0] = $row['ip'];
 $prms[1] = $row['hport'];
 $prms[2] = $row['sport'];
 $prms[3] = $row['update'];
 $prms[4] = $row['uptime'];
 $prms[5] = $row['uid'];
 $prms[6] = $row['used'];
 if ($prms[0] != "") {
  printent($prms,$tot,$countrys,$states);
  $tot++;
 }
}
mysql_close($link);
 
print "<table width="100%" bgcolor="#FFFFFF" cellspacing="1"><tbody><tr><td align="center" bgcolor="#66CF96">IP</td><td align="center" bgcolor="#66CF96">UPDATE</td><td align="center" bgcolor="#66CF96">ID</td>
  <td align="center" bgcolor="#66CF96">COUNTRY</td>
  <td align="center" bgcolor="#66CF96">CITY</td>
  <td align="center" bgcolor="#66CF96">STATE</td>
  <td align="center" bgcolor="#66CF96">UPTIME</td></tr></tbody></table><table width="100%" bgcolor="#FFFFFF" cellspacing="1"><tbody><tr><td align="right" bgcolor="#66CF96">Total:<b>$tot</b></td></tr></tbody></table></td></tr></tbody></table>";
 
function printent($prms,$tot,$countrys,$states){
 if(!($tot%2)) {
  $bcolor="#D6D6D6";
 } else {
  $bcolor="#98E8E1";
 }
 
 $tid = $prms[5];
 $tid = chop($tid);
 
 $gi = geoip_open("../GeoIPCity.dat",GEOIP_STANDARD);
 $record = geoip_record_by_addr($gi,$prms[0]);
 geoip_close($gi);
 
 if (($countrys == "all") & ($states == "all")) {
  echo "\r\n";
  echo "<font face="Fixedsys" color="#707070"><input type="button" value="\"Copy" ip\"="" onclick="window.clipboardData.setData(\"Text\",\"$prms[0]\")">$prms[0]</font>\r\n";
  echo "<font face="Fixedsys" color="#707070">" . date("H:i:s d.m.y", $prms[3]) ."</font>\r\n";//socks
  echo "<font face="Fixedsys" color="#707070"><input type="button" value="\"Copy" id\"="" onclick="window.clipboardData.setData(\"Text\",\"$tid\")"> $tid</font>\r\n";//socks
 
  // Show flag
  if ($record->country_code == "") {
   $record->country_code = "-";
   $record->country_name = "";
  }
 
  $c_code = strtolower($record->country_code);
 
  $flag = "<img src="../flags/$c_code.gif"> $record->country_name.
";
 
  echo "<font face="Fixedsys" color="#707070">$flag</font>\r\n";