Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Instant Messaging/IRC/Chat)  >   WebChat ( Vendors:   Toma, Daniel
WebChat Include File Bug in 'defines.php' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1006193
SecurityTracker URL:
CVE Reference:   CVE-2007-0485   (Links to External Site)
Updated:  Jul 7 2008
Original Entry Date:  Mar 3 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.77
Description:   An include file vulnerability was reported in WebChat. A remote user can execute arbitrary PHP code and operating system commands on the target server.

Frog-m@n reported that the 'defines.php' script includes the 'db_mysql.php' and 'language/english.php' files relative to the $WEBCHATPATH variable but does not validate that the included files are from the proper location. A remote user can specify a remote location for those include files, causing the target server to include and execute the remotely located files.

As an example, the following URL will cause the http://[attacker]/db_mysql.php file to be executed on the target server:


According to the report, this exploit is not possible is the register_globals parameter is set to ON.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target server. The code or commands will run with the privileges of the web server.
Solution:   No vendor solution was available at the time of this entry. The author of the report has issued an unofficial patch, available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Date:  Sun, 02 Mar 2003 22:56:18 -0500
Subject:  WebChat

Informations :
Langage : PHP
Website :
Version : 0.77
Problme : Inclusions de fichiers

Developpement :
WebChat est un chat simple open source qui existe depuis quelques annes.

Le faille est relativement classique.
Dans le fichier defines.php, on peut voir les lignes de code :
if (!isset($WEBCHATPATH)) {
	 $WEBCHATPATH = './';
include ($WEBCHATPATH.'db_mysql.php');
include ($WEBCHATPATH.'language/english.php');
On pourra donc inclure et faire executer les fichier http://[attacker]/db_mysql.php et 
http://[attacker]/language/english.php  dans le fichier http://[target]/defines.php, grce  une url
du type :
Ces fichiers se trouvant sur http://[attacker] seront alors executs comme du code php sur le
serveur http://[target]
et avec ses droits et restrictions.
Tout ceci n'est possible que si register_globals est sur ON.

Patch :
Dans defines.php, remplacer les lignes :
if (!isset($WEBCHATPATH)) {
	 $WEBCHATPATH = './';
par :

Un patch peut tre trouv sur
Credits :
Auteur : frog-m@n
E-mail :
Website :
Date : 01/03/03


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2015, LLC