PhpOnlineChat 3.0 - Cross-Site Scripting

Author: N0 Feel
type: webapps
platform: php
port: 
date_added: 2014-09-08 
date_updated: 2014-09-08 
verified: 0 
codes: OSVDB-111162;CVE-2014-100017 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comchat.zip

# Exploit Title: [phponlinechat xss ]
# Date: [5/9/2014]
# Exploit Author: [N0 Feel]
# Vendor Homepage: [http://phponlinechat.com/phpchat]
# Software Link: [http://phponlinechat.com/chat-free-download.php]
# Version: [3.0]
# Tested on: [win7]

php online chat suffer from xss in user panel

- register as user
- go to : http://path/phpchat/canned_opr.php
- inject javascript evil code into messae filed

demo  :
http://phponlinechat.com/phpchat/canned_opr.php

have fun :)