TITLE: X7 Chat "help_file" Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA19886 VERIFY ADVISORY: http://secunia.com/advisories/19886/ CRITICAL: Highly critical IMPACT: Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: X7 Chat 2.x http://secunia.com/product/9696/ DESCRIPTION: rgod has discovered a vulnerability in X7 Chat, which can be exploited by malicious people to disclose sensitive information and by malicious users to compromise a vulnerable system. Input passed to the "help_file" parameter in help/index.php is not properly verified before being used to include files. This can be exploited to access arbitrary files via directory traversal attacks. Via this vulnerability it is also possible to execute arbitrary PHP code by accessing avatar images with malicious EXIF data. Successful exploitation requires a valid user with permission to upload avatar images. The vulnerability has been confirmed in version 2.0.0. Other versions may also be affected. SOLUTION: Edit the source code to ensure input is properly verified. Disable upload of avatar images. PROVIDED AND/OR DISCOVERED BY: rgod ORIGINAL ADVISORY: http://milw0rm.com/exploits/1738 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------