A SQL injection vulnerability in phpMyChat Plus 1.93 can be exploited to extract arbitrary data. A local file inclusion vulnerability in phpMyChat Plus 1.93 can be exploited to include arbitrary files.
phpMyChat is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. Exploiting these issues may allow an unauthorized user to view files and execute local scripts. phpMyChat Plus 1.9 and prior versions are vulnerable to these issues; other versions may also be affected.
The phpMyChat Plus v1.94 RC1 is vulnerable to Remote Blind SQL Injection, Remote File Inclusion, Local File Inclusion, and XSS. For Remote Blind SQL Injection, an attacker can use some automatic blind SQL injection to get database information. For Remote File Inclusion, the allow_url_include must be set to On. For Local File Inclusion, the magic_quotes_gpc must be set to Off. For XSS, an attacker must have a good brain.
The phpMyChat Plus 1.98 application is vulnerable to Sql Injection (Boolean based blind, Error-based, time-based blind) on the deluser.php page through the pmc_user parameter. POC code: Capture the request through Burpsuite and then use sqlmap to get the user tables.
The 'pmc_username' parameter of pass_reset.php is vulnerable to reflected XSS. Payload: '><script>alert('xss')</script> Vulnerable URL: http://localhost/plus/pass_reset.php?L=english&pmc_username=''><script>alert('xss')</script>
Services By CQR