A post from my old blog (archives):
On May 5th 2005, we had to close our chat room because of some “bad users” getting into the chat room using the vulnerability in phpMyChat that allows a remote user to bypass authentication. I looked at the vendor’s website but to my surprise the development is put to a full stop. There was no official or unofficial patch for the above problem. While I was looking for a patch i found numerous security monitoring websites that has listed this and many other BUGS since June 2004 (almost a year ago). I was like;
“The security holes were discovered almost a year before but there is no, absolutely NO comment over that. An immediate patch is also missing. The point to note is that since 2002, phpMyChat is included in CPanel the most popular and widely used linux based hosting control panel.”
Luckily I found the Official Support Discussion List of phpMyChat, and i immediately posted my query there on 8th July, 2005 but to my surprise i got this reply
“I checked out the securityutracker.com and tried some of the exploits myself, and at leat the first script. None of them actually do anything. The first script reports a successful transaction, but I see that no actual changed take place in the database. I tried injecting some SQL too, and no luck. However, I still have to explore some of this further. The exploits DO allow somebody to see a user list without logging in. Big whoop. But then, I might be missing some steps, so don’t take this as saying that phpMyChat is secure.”
It seems that no one is paying attention to the serious/critical Vulnerabilities found in phpMyChat 0.14.x reported in June 2004 (last year). No patch is available both officially and unofficially. And i am surprized to see that no one here, even knows that these security holes exist in the software. The community and the admins are sleeping since years. I posted some replies and made them realize that this is not an ignorable issue and that they must wake-up and at least release a patch for it before they give me the
solution to replace it with another chat script.Some of the websites that listed phpMyChat Vulnerabilities in detail are:
- Security Tracker Alert for phpMyChat 0.14.x
- PHPMyChat Vulnerabilities EXPLAINED with CODES
- Secunia Vulnerability Report – phpMyChat 0.14.x
- SecurityFocus Newsletter #254 dated 21st June 2004 (a year old, read section ’27’)
- PHPMyChat Multiple Vulnerabilities
I hope i will get a satisfactory reply and a patch to fix the vulnerabilities.
Update: It really does not matter if phpMyChat works or not since i am using FlashChat for the last many months and i am satisfied with its performance.