Secure Science Corporation Advisory ASA-055 http://www.securescience.net e-response@securescience.net 877-570-0455 --------------------------------------------------------- PHPROJEKT 4.2 Chatroom is vulnerable to Cross-Site Scripting (XSS) attacks allowing a "broadcast" attack to users in the chatroom. --------------------------------------------------------------------- Vulnerability Classification: Cross-Site Scripting, Arbitrary browser control, "broadcast" attack. Discovery Date: April 10, 2005 Vendor Contacted: April 14, 2005 Advisory publication date: April 20, 2005 Abstract: --------- PHPROJEKT <= 4.2 allow XSS attacks in the chatroom via the text submission form. This enables all viewers of the chat present and future to be exploited via arbitrary commands inputted via the attacker. Such attacks "broadcast" every 20 seconds based on the "refreshing" of content and set static in the chatroom html. Description: ------------ During a recent evaluation of PHPROJEKT 4.2, the chatroom text submission was found to allow html tags including "<>" thus enabling a XSS attack against users in the chatroom. The nature of a chatroom allows all parties to see live messages publicly in "real time" so an XSS attack will be broadcasted to all users receiving messages. Also noted is that the chat forum holds static content for users to come back and review the messages. Essentially if a user decides to enter the targeted chatroom, the XSS attack will successfully execute immediately whether or not there is a live chat session in progress. The ease of attack is implemented merely from typing your attack in the test submission form and waiting for a refresh to occur. Once this is performed, arbitrary code that was submitted by the user will be executed and sent to all viewing browsers. Tested Vendors: --------------- PHPROJECT 4.2 Vendor and Patch Information: ----------------------------- Secure Science Corporation has submitted this to PHPROJEKT and has received no response to date. Due to the importance of the situation it has been posted to bugtraq. Solution: --------- Require input validation on unnecessary fields. Credits: -------- Secure Science Corporation Disclaimer: ----------- Secure Science Corporation is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Secure Science Corporation products.