TUCoPS :: HP Unsorted F :: va1590.htm

flashchat severe bug
flashchat severe bug
flashchat severe bug

File: connection.php

                                        ChatServer::userInRole($this->userid, ROLE_ADMIN) ||
                                        ChatServer::userInRole($this->userid, ROLE_MODERATOR) ||
                                        ($req['s'] == 7) <-- *bypass line*

This piece of code allows a normal user to bypass role filtering and to be granted admin role as a normal user. To exploit the vulnerability simply send to getxml.php, while into the chat, this post data string (for example intercepting and modifying a legal message packet sent to the server with tamper data plugin of firefox):

for example to ban a user simply add the bypass to the normal ban string request:

//normal message sent to server thas has being intercepted
sendAndLoad=%5Btype%20Function%5D&t=hi everybody&r=0&id=

//normal ban packet used by admins or mods

//forged packet send by attacker

*note the s=7 added

this will ip-ban user with id 5581 from chat.

eLiSiA - 17-10-2008

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH