"Free Web Chat is a chat applet designed to be used in a browser.
It consists of a server and a client applet. You can have multiple
rooms and unlimited user. You can also private message individuals.
Right now the administration aspect is farily minimal, but soon you
will have a robust administration gui to go along with the server
as well as the ability to connect as an administrator remotely."
The chat server has an unchecked variable (in UserManager.java) that
allow users to deny the chat service, in fact we are in presence of
a NullPointerException not managed.
The NullPointerException is located in the following method of
UserManager.java:
public void addUser( Socket sock )
{
User usr = new User(sock, this);
String usrName = usr.getName();
if (usrName != "" ) /* if used to check initialization */
/* it's an error */
{
/* wrong method call! */
/* no checks for usrName != null */
if (userHash.containsKey( usrName) )
{
usr.rejectUsername();
return;
}
usr.sendRoomList(rmManager.getRoomList());
(...)
}
as illustrated above the variable usrName is not checked so it may be
also null. Addictionally the method doesn't catch the exception that
may be thrown: NullPointerException.
[2] Resources Consumption
The chat server is unable to properly manage multiple connections
from the same user. In fact it will consume a lot of CPU resources.
No fix.
The vendor has not answered to my signalations.
If you want you can fix the bug [1] by using my following patch.
To fix the bug [1] replace the method: addUser( Socket sock )
in UserManager.java, with the following patched method:
public void addUser( Socket sock )
{
User usr = new User(sock, this);
String usrName = usr.getName();
if (usrName != "" )
{
Donato Ferrante
Application: Free Web Chat
http://sourceforge.net/projects/freewebchat/
Version: Initial Release
Bugs: Multiple Vulnerabilities
Date: 04-Aug-2004
Author: Donato Ferrante
e-mail: fdonato (at) autistici (dot) org [email concealed]
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bugs
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"Free Web Chat is a chat applet designed to be used in a browser.
It consists of a server and a client applet. You can have multiple
rooms and unlimited user. You can also private message individuals.
Right now the administration aspect is farily minimal, but soon you
will have a robust administration gui to go along with the server
as well as the ability to connect as an administrator remotely."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
2. The bugs:
-------------
The chat server has two bugs:
[1] Denial Of Service
The chat server has an unchecked variable (in UserManager.java) that
allow users to deny the chat service, in fact we are in presence of
a NullPointerException not managed.
The NullPointerException is located in the following method of
UserManager.java:
public void addUser( Socket sock )
{
User usr = new User(sock, this);
String usrName = usr.getName();
if (usrName != "" ) /* if used to check initialization */
/* it's an error */
{
/* wrong method call! */
/* no checks for usrName != null */
if (userHash.containsKey( usrName) )
{
usr.rejectUsername();
return;
}
usr.sendRoomList(rmManager.getRoomList());
(...)
}
as illustrated above the variable usrName is not checked so it may be
also null. Addictionally the method doesn't catch the exception that
may be thrown: NullPointerException.
[2] Resources Consumption
The chat server is unable to properly manage multiple connections
from the same user. In fact it will consume a lot of CPU resources.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerabilities:
[1]
http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip
[2]
http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
No fix.
The vendor has not answered to my signalations.
If you want you can fix the bug [1] by using my following patch.
To fix the bug [1] replace the method: addUser( Socket sock )
in UserManager.java, with the following patched method:
public void addUser( Socket sock )
{
User usr = new User(sock, this);
String usrName = usr.getName();
if (usrName != "" )
{
/* start fix */
/* manage NullPointerException */
try{
if (userHash.containsKey( usrName) )
{
usr.rejectUsername();
return;
}
}catch(NullPointerException npe){
usr.rejectUsername();
return;
}
/* end fix */
usr.sendRoomList(rmManager.getRoomList());
userHash.put( usr.getName(), usr );
rmManager.getDefaultRoom().addUser( usr );
//start the reciever thread
Thread t = new Thread(usr);
t.start();
}
}
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[ reply ]