phpMyChat Multiple XSS vulnerabilities.

2005.12.03
Credit: Louis Wang
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

phpMyChat Multiple XSS vulnerabilities. I. BACKGROUND phpMyChat is an easy-to-install, easy-to-use multi-room chat based on PHP and a database, supporting MySQL, PostgreSQL, and ODBC. II. DESCRIPTION phpMyChat 0.14.6 start_page.css.php, style.css.php, users_popupL.php are prone to Cross-site Scripting(XSS) vulnerability. A remote attacker could get cookie-based credential information with a specially-crafted URL or execute arbitrary web script or HTML. III. PUBLISH DATE 2005-12-2 IV. AUTHOR Louis Wang, Fortinet Security Research Team (FSRT)(secresearch at fortinet dot com.) V. AFFECTED SOFTWARE phpMyChat 0.14.6 is confirmed to be affected. Older versions are not verified. VI. ANALYSIS in start_page.css.php and style.css.php if (!isset($medium) || $medium == "") $medium = 10; $large = round(1.4 * $medium); $small = round(0.8 * $medium); Parameter $medium is not carefully validated. in users_popupL.php <A HREF="<?php echo("$From?Ver=L&L=$L"); ?>" TARGET="_blank"><?php echo(L_CHAT); ?></A> Parameter $From is not carefully validated. VII. Proof of Concept http://victimhost/phpmychat/chat/config/start_page.css.php?medium=><scri pt>alert(29837274289742472);</script>&FontName=1 http://victimhost/phpmychat/chat/config/style.css.php?medium=><script>al ert(29837274289742472);</script>&FontName=1 http://victimhost/phpmychat/chat/users_popupL.php?From="><script>alert(2 9837274289742472);</script>>&L=english&LastCheck=1133281246&B=0 VIII. SOLUTION Input validation will fix the vulnerability. IX. ADVISORY http://www.fortinet.com/FortiGuardCenter/idp.html#fsa X. REFERENCE http://phpmychat.sourceforge.net/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top