PHP Open Chat 3.0.2 Cross Site Scripting and Path Disclosure in database_setup functio
`PHPOPENCHAT 3.0.2 Xss AND/OR Full Path Disclosure
1.- Preview
This web APP is Vulnerable to xss in its instalation file but you can
misconfigurate all the
code with this bug also, you must see to understand...
2.- Vulnerable Code
function database_setup(){
if( isset($_POST['form_data']) ){
$host = (string) $_POST['DATABASE_HOST'];
$user = (string) $_POST['DATABASE_USER'];
$pass = (string) $_POST['DATABASE_PASSWORD'];
$tabl = (string) $_POST['DATABASE_TABLESPACE'];
$prefix = (string) $_POST['DATABASE_TABLE_PREFIX'];
3.- Expl0tation
First Bug its where you just post data without nothing in security so
you can put in the
host textbox on the install.php?step=2 ">
in which usually
is written localhost and in other .php files (install.php) they show
$host so the Xss its
notable...
4.- More Vuln Code...
$this->set_conf_property('DATABASE_HOST', $host);
you may think theres no problem with this step but...
if you write the DATABSE_HOST with host being explotated it could
be...interesting...
5.- MORE
define('DATABASE_HOST', 'localhost');
This is the execelent example to show you how it can work like a PHP DROP...
just put something like "> in the
DATABASE_HOST textbox
and excecute, just refresh and...
Path Disclosure...
\openchat\config.inc.php on line 135
6.- Gr33tz:
http://www.seguridadblanca.org - WCuestas - Chelano - Perverths0 -
SeguridadBlanca READERS
- Exploit-DB && FRIENDS =)
====================
31337 HAPPY HACKING
====================
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contactย us for a demo andย discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo