Ghost users in Chat Anywhere 2.72

From: Luigi Auriemma (aluigi_at_altervista.org)
Date: 03/09/04

  • Next message: Marc Bejarano: "Re: IBM DB2 Remote Command Execution Privilege Upgrade (#NISR09032004)" 
    Date: Tue, 9 Mar 2004 12:11:54 +0000
To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com

    #######################################################################

                                 Luigi Auriemma

    Application: Chat Anywhere
                  http://www.lionmax.com/chatanywhere.htm
    Versions: <= 2.72
    Platforms: Windows
    Bug: users cannot be banned or kicked
    Risk: low
    Exploitation: remote, via browser
    Date: 09 Mar 2004
    Author: Luigi Auriemma
                  e-mail: aluigi@altervista.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    Chat Anywhere is a web chat server allowing multiple chat rooms
    accessible via browser. It supports also remote administration via web.

    #######################################################################

    ======
    2) Bug
    ======

    Using %00 before the nickname the user is able to hide himself to the
    administrator.
    Practically the admin cannot see the user's IP address in the
    administration web page because it is substituited by the text $IP$.
    This problem avoids the banning and the kicking of the user so the
    admin has no control over him.

    #######################################################################

    ===========
    3) The Code
    ===========

    I have created a simple html file that sends %00 in plain-text because
    almost all the browsers sends it encoded as %2500:

      http://aluigi.altervista.org/poc/ca-ghost.htm

    #######################################################################

    ======
    4) Fix
    ======

    Version 2.72a

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org

  • Next message: Marc Bejarano: "Re: IBM DB2 Remote Command Execution Privilege Upgrade (#NISR09032004)"

    Relevant Pages

    • ANN: UliPad 3.8 released!
      ... UliPad is a flexible editor, ... like:class browser, code auto-complete, html viewer, directory browser, wizard, ... Fix print bug, ...
      (comp.lang.python)
    • ANN: UliPad 3.8 released!
      ... UliPad is a flexible editor, ... like:class browser, code auto-complete, html viewer, directory browser, wizard, ... Fix print bug, ...
      (comp.lang.python.announce)
    • Denial Of Service in FreeChat 1.1.1a
      ... The bug ... The fix ... "FreeChat is a webserver with support for a browser based streaming ... The chat so far supports multiple ...
      (Bugtraq)
    • [Full-Disclosure] DoS in Bird Chat 1.61
      ... Application: Bird Chat ... The bug ... The fix ... "Bird Chat is a chat client / server software designed with an easy ...
      (Full-Disclosure)
    • Server side scripts viewing in Goahead webserver <= 2.1.7
      ... Bug ... Fix ... Goahead webserver is an embedded OpenSource server that can be build on ... when called by the client's browser. ...
      (Bugtraq)