phpMyChat Multiple XSS vulnerabilities. I. BACKGROUND phpMyChat is an easy-to-install, easy-to-use multi-room chat based on PHP and a database, supporting MySQL, PostgreSQL, and ODBC. II. DESCRIPTION phpMyChat 0.14.6 start_page.css.php, style.css.php, users_popupL.php are prone to Cross-site Scripting(XSS) vulnerability. A remote attacker could get cookie-based credential information with a specially-crafted URL or execute arbitrary web script or HTML. III. PUBLISH DATE 2005-12-2 IV. AUTHOR Louis Wang, Fortinet Security Research Team (FSRT)(secresearch at fortinet dot com.) V. AFFECTED SOFTWARE phpMyChat 0.14.6 is confirmed to be affected. Older versions are not verified. VI. ANALYSIS in start_page.css.php and style.css.php if (!isset($medium) || $medium == "") $medium = 10; $large = round(1.4 * $medium); $small = round(0.8 * $medium); Parameter $medium is not carefully validated. in users_popupL.php <A HREF="<?php echo("$From?Ver=L&L=$L"); ?>" TARGET="_blank"><?php echo(L_CHAT); ?></A> Parameter $From is not carefully validated. VII. Proof of Concept http://victimhost/phpmychat/chat/config/start_page.css.php?medium=><scri pt>alert(29837274289742472);</script>&FontName=1 http://victimhost/phpmychat/chat/config/style.css.php?medium=><script>al ert(29837274289742472);</script>&FontName=1 http://victimhost/phpmychat/chat/users_popupL.php?From="><script>alert(2 9837274289742472);</script>>&L=english&LastCheck=1133281246&B=0 VIII. SOLUTION Input validation will fix the vulnerability. IX. ADVISORY http://www.fortinet.com/FortiGuardCenter/idp.html#fsa X. REFERENCE http://phpmychat.sourceforge.net/