OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] PHPMyChat Authentication Bypass

From: Debasis Mohanty (mailhackingspirits.com)
Date: Mon Feb 20 2006 - 12:36:29 CST


PHPMyChat Authentication Bypass
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I won't have bothered to post this silly flaw but after seeing the google
search result for inurl:phpMyChat.php3 , I thought it would be good idea to
keep people informed.

I. BACKGROUND

phpMyChat is an easy-to-install, easy-to-use multi-room chat based on PHP
and a database, supporting MySQL, PostgreSQL, and ODBC. It supports some
IRC-like commands, and has been translated to 33 different languages.

II. BUG DESCRIPTION

In the default installation of phpmychat (version 0.14.5) any unregistered
user can get access to the chat rooms by inputing both the user name and
password as same in the input box. i.e. the user name should be same as
password. I tried loging in through various vulnerable sites using these
user id and password combination which granted me un-authorised access to
the rooms -

User Id Password
~~~~~~~~ ~~~~~~~~
admin admin
user user
hacked hacked

...
...

Note: In some cases the user id with 'admin' might not work for the password
as 'admin' as during installation the owner might have changed it.

III. IMPACT
Un-authorised user access to chat rooms

IV. AFFECTED PRODUCTS
I have only tested this for PhpMyChat 0.14.5 but I guess the previous
versions might also be affected.
 
V. VENDOR
http://phpmychat.sourceforge.net
http://www.phpheaven.net/rubrique4.html

VI. CREDITS
Debasis Mohanty
www.hackingspirits.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/