CVE-2008-6502
Pro Chat Rooms 3.0.2 - Authenticated Path Traversal and Remote Code Execution via Avatar Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2008-6502. PoCs published by ZynbER.
AI-analyzed exploit summary This writeup describes XSS and CSRF vulnerabilities in Pro Chat Rooms Version 3.0.2. The XSS is due to unsanitized user input in the 'gud' parameter, while the CSRF exploits the avatar parameter to force actions like logging users out.
Description
Directory traversal vulnerability in Pro Chat Rooms 3.0.2 allows remote authenticated users to select an arbitrary local PHP script as an avatar via a .. (dot dot) in the avatar parameter, and cause other users to execute this script by using sendData.php to send a message to (1) an individual user or (2) a room, leading to cross-site request forgery (CSRF), cross-site scripting (XSS), or other impacts.
Exploits (1)
This writeup describes XSS and CSRF vulnerabilities in Pro Chat Rooms Version 3.0.2. The XSS is due to unsanitized user input in the 'gud' parameter, while the CSRF exploits the avatar parameter to force actions like logging users out.