####################################################################### # # Exploit Title: # Mohachat 0.1.1 Cross Site Scripting Vulnerability # Mohachat 0.1.1 HTML Form redirecting page # Date: 2014 18 March # Author: Dr.3v1l # Vendor Homepage: http://mohachat.org # Version : 0.1.1 # Tested on: Windows # Category: webapps # Google Dork: intext:"MOHA Chat 0.1.1 S.H.Mohanjith" # ####################################################################### # # [+] Exploit : # # http://<server>/mohachat-0.1.1/mohachat/login/ # # Just put the javascript code in username or password textbox and enter : # "><script>alert(/xss/)</script> # The input is reflected inside a tag parameter between double quotes. # ####################################################################### # # [+] Exploit : # # http://<server>/mohachat-0.1.1/mohachat # # HTML Form found in redirect page [high severity] # Vulnerability description # Manual confirmation is required for this alert. # # An HTML form was found in the response body of this page. # However, the current page redirects the visitor to another # page by returning an HTTP status code of 301/302. Therefore, # all browser users will not see the contents of this page # and will not be able to interact with the HTML form. # # Sometimes programmers don't properly terminate # the script after redirecting the user to another page. For example: # <?php # if (!isset($_SESSION["authenticated"])) { # header("Location: auth.php"); # } # ?> # <title>Administration page</title> # <form action="/admin/action" method="post"> # <!-- ... form inputs ... --> # </form> # # <!-- ... the rest of the administration page ... --> # # This script is incorrect because the script is not terminated # after the "header("Location: auth.php");" line. An attacker can access # the content the administration page by using an HTTP client that # doesn't follow redirection (like HTTP Editor). This creates an authentication # bypass vulnerability. The correct code would be # # <?php # if (!isset($_SESSION[auth])) { # header("Location: auth.php"); # exit(); # } # ?> # <title>Administration page</title> # <form action="/admin/action" method="post"> # <!-- ... form inputs ... --> # </form> # # <!-- ... the rest of the administration page ... --> # # This vulnerability affects /mohachat-0.1.1/mohachat. # Discovered by: Scripting (HTML_Form_In_Redirect_Page.script). # Attack details # Form action='' # ####################################################################### # # [+] Contact Me : # # B.Devils.B@gmail.com # Twitter.com/Doctor_3v1l # Facebook.com/bdb.0web # Facebook.com/groups/1427166220843499/ # IR.linkedin.com/in/hossein3v1l # Hossein Hezami - Black_Devils B0ys # ####################################################################### # B.Devils.B Friends , R.H.H (UnderGround) , IeDB.IR , IrSecTeam #######################################################################