Syhunt: MyCyberTwin Multiple Cross-Site Scripting Vulnerabilities

[Alec Storm <alec () syhunt com>]

Syhunt: MyCyberTwin Multiple Cross-Site Scripting Vulnerabilities

Advisory-ID: 200703041
Discovery Date: 4.3.2007
Release Date:  4.24.2007
Affected Applications: MyCyberTwin service
Class: Cross-Site Scripting (Cookie-Theft), HTML Injection
Status: Unpatched/Vendor informed
Vendor: MyCyberTwin
Vendor URL: http://www.mycybertwin.com/

----------------------------------------------------------------

Overview:
MyCyberTwin is a website that allows users to develop virtual
personalities/bots called "cybertwins". The MyCyberTwin website
informs that 6483 bots were already created. MyCyberTwin also
says that the service is still alpha.

Description:
MyCyberTwin service is vulnerable to cross-site scripting (XSS)
and HTML injection. Input passed directly to the "message"
parameter is not properly sanitised before being returned to the
user. It is also possible to inject code in the bot profile.
Since profile info is also displayed in user galleries and the
main web page, this vulnerability can make a large number of
users an easy target.

The vulnerability can be exploited to execute arbitrary HTML
code and script code in the user's browser session. It is even
possible to create a fake index/login page at the main web site
page at: http://mycybertwin.com

----------------------------------------------------------------

Details:
1) Message param XSS

http://mycybertwin.com/message.jsp?nextpage=/index.jsp&message=
<script>alert(document.cookie);</script>

2) Profile XSS

It is possible to inject html/script code in the "Display name"
field or the "City" field in the myhome.jsp page
(http://mycybertwin.com/myhome.jsp).

The injected code will be displayed at:
http://mycybertwin.com/chat/[botname]
and
http://mycybertwin.com/viewmycybertwins.jsp
and in the main web site page at:
http://mycybertwin.com

3) Conversation page XSS

When you start a conversation with a bot, your name is asked and
the bot creator is informed about it. If you provide html code
as a name, it will be displayed in the conversations page (at:
http://mycybertwin.com/myconversations.jsp)

----------------------------------------------------------------

Vulnerability Status:
MyCyberTwin was notified, but no reply has been received and
apparently no measures were taken.

----------------------------------------------------------------

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.

---
Credit:
Alec Storm, Syhunt Security Research Team, www.syhunt.com