MM Chat Local File Include and Multiple Cross Site Scripting Vulnerabilities

An attacker can exploit these issues via a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim into following a malicious URI, for example:

http://www.example.com/MMchat/chathead.php?sitename=[XSS]
http://www.example.com/MMchat/chathead.php?wmessage=[XSS]

The following proof-of-concept URI is available for the LFI issue:

http://www.example.com/MMchat/chatconfig.php?currentlang=[LFI]


 

Privacy Statement
Copyright 2010, SecurityFocus