------------------------------------------------------------------
- EXPL-A-2003-008 exploitlabs.com Advisory 008
------------------------------------------------------------------
-= Asp Chat ( chat.asp ) =-
morning_wood
June 16, 2003
exploitlabs.com
Vunerability(s):
----------------
1. .ASP XSS / JS Injection
alot more im sure...
Product:
--------
AspChat
http://www.123apps.net/page.asp?page=aspchat
Description of product:
-----------------------
ASP Chat - Freeware
"Web based chat application with user friendly interface.
Easy to install just copy to your folder where you want to use it.
No database and no components needed. Download and use it for free."
Download:
http://download.123apps.net/files/aspchat.zip <-- dont work
http://www.zone-h.org/download/file=2848/
VUNERABILITY / EXPLOIT
======================
Remote:
-------
yup
poc code here...
this is a direct rip of the login page,
------------ snippy -------------------
Type nickname
ASP Chat by 123apps.net
----------- end snippy ---------------
as we can see by the poc script there is no length checking on the login.
the login name ( or script from poc )is "pushed" into chat as the user name,
rendering XSS and remote includes by way of...
or whatever have you. all users are affected by this that are currently logged in or
log in later as there is some "persistance" as this...
http://www.123apps.net/demo/aspchat/ or
http://www.123apps.net/demo/aspchat/chat.asp shows.
the depth of this has not been fully exploited, I leave it to the vendor to fix ASAP.
oh... you can chat normaly and then decide to "throw" urls or bad js at people ... i got bored real fast with that.
Vendor Fix:
-----------
No fix on 0day
Vendor Contact:
---------------
info@123apps.net - Concurrent with this advisory
Credits:
--------
morning_wood
http://exploitlabs.com "were finding your holes"
morning_wood@frame4.com - get tested
----------------------------------------
be a good vendor... test your products first, it is your problem, fix it.
http://nothackers.org - it's t0day