Exploitation Summary
EIP tracks 7 public exploits for CVE-2006-3366. PoCs published by Luny.
AI-analyzed exploit summary This exploit demonstrates XSS and SQL injection vulnerabilities in V3 Chat Instant Messenger by injecting malicious scripts and parameters into the 'search.php' endpoint. The PoC shows how unsanitized input can lead to arbitrary script execution in a user's browser context.
Description
Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".
Exploits (7)
This exploit demonstrates XSS and SQL injection vulnerabilities in V3 Chat Instant Messenger by injecting malicious scripts and parameters into the 'search.php' endpoint. The PoC shows how unsanitized input can lead to arbitrary script execution in a user's browser context.
This exploit demonstrates an XSS vulnerability in V3 Chat Instant Messenger by injecting a malicious script via the 'membername' parameter in profileview.php. The lack of input sanitization allows arbitrary JavaScript execution in the context of the affected site.
This exploit demonstrates a cross-site scripting (XSS) vulnerability in V3 Chat Instant Messenger by injecting a malicious script via the 'site_id' parameter in the profile.php page. The vulnerability arises due to insufficient input sanitization.
This exploit demonstrates a cross-site scripting (XSS) vulnerability in V3 Chat Instant Messenger by injecting malicious script tags into the 'site_id' parameter. The vulnerability arises from insufficient input sanitization, allowing arbitrary JavaScript execution in the context of the affected site.
This exploit demonstrates a cross-site scripting (XSS) vulnerability in V3 Chat Instant Messenger by injecting a malicious script via the 'cust_name' parameter in the 'expire.php' endpoint. The lack of input sanitization allows arbitrary JavaScript execution in the context of the affected site.
This exploit demonstrates an XSS vulnerability in V3 Chat Instant Messenger by injecting a malicious script via the 'id' parameter in the 'reply.php' endpoint. The lack of input sanitization allows arbitrary JavaScript execution in the context of the affected site.
This exploit demonstrates a cross-site scripting (XSS) vulnerability in V3 Chat Instant Messenger by injecting malicious script tags into the URL parameters. The vulnerability arises from insufficient input sanitization, allowing arbitrary JavaScript execution in the context of the affected site.