53KF Web IM 2009 Cross-Site Scripting Vulnerabilities



Application: 53KF Web IM
Vendor: www.53kf.com
Corporation: LiuDu, Inc.
Version: Latest: (19 JAN 2009) - Home Edition, Enterprise & Professional
Description: 53KF Web IM 2009 Cross-Site Scripting Vulnerabilities

Background:
==============
53KF is a web-based group chat tool that lets invite a client,
colleague, or vendor to chat, and collaborate.More than 220,000
websites in the use of 53KF.

Vulnerability:
==============
They do not properly sanitize the potentially malicious input content
to be rendered and, as a result, an attacker might provide malicious
HTML content as part of an IM message. There is a client-side only
input validation.

Exploit:
==============

156function sendmsg() {
157 try{textCounter(document.getElementById("input1"),1000)}catch(e){}
158 msg=document.getElementById("input1").value;
159 if (msg.trim()=="") {
160 return;
161 }
162 msg=UBBEncode(msg);
163 document.getElementById("input1").value="";
164 display_msg("<font color=\"#666666\">"+infos[13]+":
"+getTime2()+"</font><br>&nbsp;&nbsp;"+UBBCode(msg.trim()));
165 try{msg=msgFilter(msg);}catch(e){}
166 if(usezzdy=="1"){
167 var rmsg=sendtext(msg);
168 display_msg("<font
color=\"#666666\">"+infos[57]+":</font><br>&nbsp;&nbsp;<font
color=\"#0000CE\">"+rmsg+"</font>");
169 }else{
170 if (typeof(rec_stat)!="undefined" && rec_stat==1){
171 push_info("post","REC",mytempid,"11",UBBCode(msg.trim()),getTime());
172 display_msg("<font
color=\"#666666\">"+infos[29]+":</font><br>&nbsp;&nbsp;<font
color=\"#0000CE\">"+UBBCode(UBBEncode(lword_prompt))+"</font>");
173 }
174 else{
175 qstmsg(UBBCode(msg.trim()));
176 }
177 }
178 if (talk_fee_type==1)
179 {
180 talk_fee_type=0;
181 url="http://www.53kf.cn/v5_talk.php?talk_fee_type=1&arg="+arg+"&style="+style;
182 rpc(url);
183 }
184
185 if(istalktype==1)
186 {
187 istalktype=0;
188 url="http://www.53kf.cn/istalk.php?companyid="+company_id+"&istalk=1";;
189 rpc(url);
190 }
191}

SET BREAKPOINT(firebug, etc) AT 164TH LINE, AND SET NEW VALUE:
msg = "<iframe width=800 height=600 src='httP://WWW.g.cn'></iframe>"

=========================
xisigr[topsec]
xisigr@xxxxxxxxx


--
-----------------------------------------------------------------
NAME:xushaopei(xsp)
ORG:Heart[T.P.S][F.S.T][J.I.C]
QQ:9634989
EMAIL:xisigr@xxxxxxxxx
BLOG:http://www.hackheart.com
-----------------------------------------------------------------



Relevant Pages

  • LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities
    ... LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities ... LooYu is a web-based group chat tool that lets invite a client, ... colleague, or vendor to chat, and collaborate. ...
    (Bugtraq)
  • Re: RealVNC
    ... I recently upgraded a client to SBS 2003 Premium with ISA. ... This server was so full of trojans, spyware, ... the vendor complained because I would not let pcAnywhere ... Then there is default Java listening port on port 5800 on the ...
    (microsoft.public.windows.server.sbs)
  • Re: Delayed email from outside vendor or not arriving at all
    ... I understand that one vendor send email to ... your client will get Delivery Status Notification. ... I suggest we track the not receive email in your client SBS 2003. ... How to Enable Message Tracking Center on a Server ...
    (microsoft.public.windows.server.sbs)
  • Re: [Full-disclosure] Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability
    ... Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability ... impersonate the user who stored their credentials. ... see the vendor fix below. ...
    (Full-Disclosure)
  • Re: Multiple Records from Access Query
    ... invoice records using the mergefield method outlined in the tutorial. ... client concerned - too many or too few and everything will get out of synch. ... You can use Word's Catalogue/Directory Mailmerge facility for this. ... records in Access for the same [Vendor], ...
    (microsoft.public.word.mailmerge.fields)