Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Instant Messaging/IRC/Chat)  >   WebChat ( Vendors:   Toma, Daniel
WebChat Include File Bug in 'defines.php' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1006193
SecurityTracker URL:
CVE Reference:   CVE-2007-0485   (Links to External Site)
Updated:  Jul 7 2008
Original Entry Date:  Mar 3 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.77
Description:   An include file vulnerability was reported in WebChat. A remote user can execute arbitrary PHP code and operating system commands on the target server.

Frog-m@n reported that the 'defines.php' script includes the 'db_mysql.php' and 'language/english.php' files relative to the $WEBCHATPATH variable but does not validate that the included files are from the proper location. A remote user can specify a remote location for those include files, causing the target server to include and execute the remotely located files.

As an example, the following URL will cause the http://[attacker]/db_mysql.php file to be executed on the target server:


According to the report, this exploit is not possible is the register_globals parameter is set to ON.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target server. The code or commands will run with the privileges of the web server.
Solution:   No vendor solution was available at the time of this entry. The author of the report has issued an unofficial patch, available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  WebChat

Informations :
Langage : PHP
Website :
Version : 0.77

Developpement :

Le faille est relativement classique.
Dans le fichier defines.php, on peut voir les lignes de code :
if (!isset($WEBCHATPATH)) {
	 $WEBCHATPATH = './';
include ($WEBCHATPATH.'db_mysql.php');
include ($WEBCHATPATH.'language/english.php');
On pourra donc inclure et faire executer les fichier http://[attacker]/db_mysql.php et 
du type :
serveur http://[target]
et avec ses droits et restrictions.
Tout ceci n'est possible que si register_globals est sur ON.

Patch :
Dans defines.php, remplacer les lignes :
if (!isset($WEBCHATPATH)) {
	 $WEBCHATPATH = './';
par :

Credits :
Auteur : frog-m@n
E-mail :
Website :
Date : 01/03/03


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC