lunes 21 de diciembre de 2009

New Bug In PHPOPENCHAT by Dedalo

Bueno por ahora solo está en exploit-db pero como esta un poco mal hecha la distribución del texto entonces por eso lo voy a poner aquí

1.- Preview

This web APP is Vulnerable to xss in its instalation file but you can misconfigurate all the
code with this bug also, you must see to understand...

2.- Vulnerable Code

function database_setup(){

if( isset($_POST['form_data']) ){

$host = (string) $_POST['DATABASE_HOST'];

$user = (string) $_POST['DATABASE_USER'];

$pass = (string) $_POST['DATABASE_PASSWORD'];

$tabl = (string) $_POST['DATABASE_TABLESPACE'];

$prefix = (string) $_POST['DATABASE_TABLE_PREFIX'];

3.- Expl0tation
First Bug its where you just post data without nothing in security so you can put in the
host textbox on the install.php?step=2 "><script>alert(1337)</script> in which usually
is written localhost and in other .php files (install.php) they show $host so the Xss its

4.- More Vuln Code...

$this->set_conf_property('DATABASE_HOST', $host);

you may think theres no problem with this step but...
if you write the DATABSE_HOST with host being explotated it could be...interesting...

5.- MORE

define('DATABASE_HOST', 'localhost');

This is the execelent example to show you how it can work like a PHP DROP...

just put something like "><script>alert('d3d4l0')</script> in the DATABASE_HOST textbox

and excecute, just refresh and...

Path Disclosure...

\openchat\ on line 135

6.- Gr33tz: - WCuestas - Chelano - Perverths0 - SeguridadBlanca READERS
- Exploit-DB && FRIENDS =)


ese es el paper... también se los pongo en pastebin

den click aquí para verlo en pastebin