Warning about a hack I had [flash chat]

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
Post Reply
NeilUK
Registered User
Posts: 276
Joined: Fri Oct 28, 2005 7:54 pm

Warning about a hack I had [flash chat]

Post by NeilUK » Fri Apr 11, 2014 1:06 pm

Just wanted to post this for people who use Flash Chat as their chatroom software, updates seem to have stopped with them and their Forum is down and my Forum was hacked last week.

No real harm done, godaddy sorted it and it was obvious that it had been hacked , they got in via my Chatroom software so it wasn't a phpbb3 flaw. It was the FlashChat v 6.0.8 software

Just wanted others to be aware as I know there are a lot of Flash Chat users in the phpbb.com community

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51870
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Warning about a hack I had [flash chat]

Post by Brf » Fri Apr 11, 2014 1:58 pm

Move to General Discussion, since Flash Chat is not part of phpBB.

NeilUK
Registered User
Posts: 276
Joined: Fri Oct 28, 2005 7:54 pm

Re: Warning about a hack I had [flash chat]

Post by NeilUK » Fri Apr 11, 2014 4:35 pm

Apologies, I thought I had put it in this section

I did stress it wasn't a phpbb3 problem but thought it was worth posting as so many use Flash Chat

sakm
Registered User
Posts: 542
Joined: Sun Jan 21, 2007 8:14 pm
Location: Hull, uk
Name: Stu
Contact:

Re: Warning about a hack I had [flash chat]

Post by sakm » Fri Apr 11, 2014 5:22 pm

flash chat was a great chatroom and its a shame they went AWOL!!

I uninstalled it not long after support stopped

NeilUK
Registered User
Posts: 276
Joined: Fri Oct 28, 2005 7:54 pm

Re: Warning about a hack I had [flash chat]

Post by NeilUK » Fri Apr 11, 2014 6:37 pm

Yeah I liked it

Haven't been able to find a good replacement for it either so far

sakm
Registered User
Posts: 542
Joined: Sun Jan 21, 2007 8:14 pm
Location: Hull, uk
Name: Stu
Contact:

Re: Warning about a hack I had [flash chat]

Post by sakm » Fri Apr 11, 2014 6:40 pm

same here

I tried comet chat but its rubbish and they always want paying for any modification and wont just tell you how to do any bits you want to do

I use Mchat now but the chatroom has died a death on my forum

User avatar
Jessica
Former Team Member
Posts: 4342
Joined: Sun Jul 18, 2010 2:53 pm
Location: Pennsylvania, USA
Name: Jessica
Contact:

Re: Warning about a hack I had [flash chat]

Post by Jessica » Fri Apr 11, 2014 10:20 pm

I use cBB Chat but it's more of a shoutbox than a chatroom right now...

Danielx64
Registered User
Posts: 1369
Joined: Wed Nov 04, 2009 5:51 am
Location: In a server room in Australia
Name: Daniel
Contact:

Re: Warning about a hack I had [flash chat]

Post by Danielx64 » Sat Apr 12, 2014 1:08 am

I use http://frug.github.io/AJAX-Chat/ and there is a project (that is on hold) where it will work with phpBB with full board styles and UCP configurations.
Please note that I will not be porting any of my mods to phpBB 3.1. Sorry for the inconvenience this may cause.
Image

User avatar
HagoromoOtsutsuki
Registered User
Posts: 7
Joined: Mon Mar 24, 2014 8:36 pm
Location: Any Forum
Name: Hagoromo Otsutsuki
Contact:

Re: Warning about a hack I had [flash chat]

Post by HagoromoOtsutsuki » Fri May 02, 2014 7:07 am

Thanks For Heads :D

mrjon
Registered User
Posts: 4
Joined: Fri Apr 18, 2014 3:20 pm

Re: Warning about a hack I had [flash chat]

Post by mrjon » Thu Jun 12, 2014 7:05 pm

Which version date is this? I am still using flashchat on my forum :(

Mine is the October. 25, 2013

Seraphic
Registered User
Posts: 274
Joined: Wed Feb 15, 2006 8:20 am

Re: Warning about a hack I had [flash chat]

Post by Seraphic » Thu Jul 10, 2014 4:26 pm

FlashChat 6.0.2-6.0.8 - Arbitrary File Upload Vulnerability
This module exploits a file upload vulnerability found in FlashChat versions 6.0.2 and 6.0.4 to 6.0.8. Attackers can abuse the upload feature in order to upload malicious PHP files without authentication which results in arbitrary remote code execution as the web server user.
FlashChat contains a flaw that allows a remote user to execute arbitrary PHP code. This flaw exists because the upload.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the user to execute the script with the privileges of the web server.
Same thing just happened to my forum. Was using the newest version 6.0.8.
Was such a great add-on too and is a shame its no longer maintained.

Did some searching and found:

http://www.rapid7.com/db/modules/exploi ... pload_exec
http://www.exploit-db.com/exploits/28709/
http://www.osvdb.org/98233

Maybe deleting the upload.php file will prevent the exploit?
Although, will flashchat even work with phpbb 3.1?

NeilUK
Registered User
Posts: 276
Joined: Fri Oct 28, 2005 7:54 pm

Re: Warning about a hack I had [flash chat]

Post by NeilUK » Fri Jul 11, 2014 4:12 pm

No it doesn't work with 3.1

It all seems to install OK but nothing happens when you enter the chatroom. Basically the database isn't compatible anymore unless flashchat is ever updated

Post Reply

Return to “General Discussion”