Elfet - ElfChat 5.1.2 Pro XSS + HTML Inject on Admin / Site

1. +---------------------------------------------------------------------------------------------------------------------------------------------------+
2. # Exploit Title : Elfet - ElfChat 5.1.2 Pro XSS + HTML Inject on Admin / Site Settings
3.  
4. # Date : 2012-07-31
5.  
6. # Vulnearbility : http://www.Site.tld/chat/admin/settings.php?33dca4953ec77be27e393b32938807e7/YWFjdD1tYWlu
7.  
8. # Vulnearbility2 : http://www.site.tld/chat/admin/users.php?ef2e8f2d2d3ff1bba659b81b9fc62b94/YWZpbHRyPWFsbHVzZXJzJmNydWRfYWN0PWNyZWF0ZQ--
9.  
10. # Author : Avatar Fearless
11.  
12. # Software link : http://community.elfchat.net/files/download/4-elfchat-5-demo/
13.  
14. # Official Site : http://elfchat.net/
15.  
16. # Version : 5.1.2 Pro (Updated)
17.  
18. # Tested on : Windows 7 Ultimate x32
19.  
20. # Original Advisory : http://thefear.in/elfchatvuln2.txt || http://pastebin.com/g6G1V9eC
21.  
22. # Contact : avatar@hiphopfan.com || avatar_legends@live.com/@mail.ru
23.  
24. # Web Sites : http://anti-armenia.org/ || http://millikuvvetler.net/ || http://mexfi.org/
25.  
26. +---------------------------------------------------------------------------------------------------------------------------------------------------+
27.  
28. [+] Vulnerable :
29.  
30. http://www.Site.tld/chat/admin/settings.php
31.  
32. [-] Exploit :
33.  
34. In "Admin" Case you can do everythink with settings.php!
35.  
36. [?] About :
37.  
38. For More Info Contact me.
39.  
40. [#] Description :
41. I Got 2 Vulnerability on this CMS. Before all of this , This is updated version. Actually This vulnerability is not on signup.php
42. This Vulnearbility Affects to : /admin/ here.
43.  
44. [$] Information About This Vulnerability + Exploiting.
45. Let's Take a while. What is this URL? :
46. http://www.Site.tld/chat/admin/settings.php?33dca4953ec77be27e393b32938807e7/YWFjdD1tYWlu
47. This is Settings. Right! Our Vulnearbility is on /admin/setting.php in the "Title" We got problem.
48. In Title We can use all the JavaScript Code'S
49. (EX : "<script>alert(1);</script>")
50. http://s14.postimage.org/n1ldbshsw/elfchatvuln2.jpg
51. And We got a HTML Injection.
52. (EX : "<h1>Owned</h1>")
53. http://s14.postimage.org/es4wjmyow/elfchatvuln.jpg
54. You See. It Takes So Easy. i mean this JS + HTML inject isn't encrypt it is only themself. This mean it is so easy to build a XSRF
55. & Take Cookie'Z. And This will be easy cause we don't have any pm and that's way you will send the link. And Admin or other users will click
56. on this link and i will got the cookie :D . So Geniues ;)
57. And Let's Talk About The other Vulnearbility. About The "Create another Person". Yeah This Vulnerability Affects to :
58. http://www.site.tld/chat/admin/users.php?ef2e8f2d2d3ff1bba659b81b9fc62b94/YWZpbHRyPWFsbHVzZXJzJmNydWRfYWN0PWNyZWF0ZQ--
59. In Here Admin Cat Put All The JS Source Codes. So We got another XSS in
60. http://www.site.tld/chat/admin/users.php?ef2e8f2d2d3ff1bba659b81b9fc62b94/YWZpbHRyPWFsbHVzZXJzJmNydWRfYWN0PWNyZWF0ZQ--
61. Create a new Person =)
62.  
63. [@]
64.  
65. Respect To :
66.  
67. All My Bro*S
68.  
69. AA Team
70.  
71. MF Team
72.  
73. MKT Team
74.  
75. Gr33t`Z T0 : All Team MemBer'Z
76.  
77. +---------------------------------------------------------------------------------------------------------------------------------------------------+