[转载]MW Chat系统6.8及以下版跨站脚本漏洞以及测试方法

信息来源：http://www.cpc.info.ms

#1:. Background

[readme]
What is MWChat?
--------------

MWChat is a web-based (browser) chat application that doesn't require
java. MWChat include features such as buddy lists, encryption, file
sharing, private messages, ignore lists, private rooms, and more.

The MWChat Application Framework is written in PHP, and provides the
common tools that make up a robust chat application.
[/readme]

#2:. The Bug

The bug resides in index.php , because there's no checking against injection in the "ErrorMessage" variable.
This variable is first Url decoded, then Base 64 decoded and finally is printed out.So, we could do some Ulr/base 64 encoding
on a Javascript string, then have it printed out.A malicious attacker could use this bug to steal cookie and gain privileges.

#3:. PoC

Use this url as proof of concept:

[poc]
http://[host]/[folder]/index.php?ErrorMessage=PHNjcmlwdD5hbGVydCgibG9sIik8L3NjcmlwdD4%3D&Lang=en
[/poc]

#4:. Patch:

No patch is avaible for now, venditor has neither answered my email nor published any new version or patch.

#5:.

http://contropotere.altervista.org/mercury/ - Cpc Forum , here you can ask for an unofficial patch
http://contropotere.altervista.o ... n/wrapper/Itemid/47 - Url, Bas64 and Hex Encoder/Decoder