------------------------------------------------------------------ - EXPL-A-2003-008 exploitlabs.com Advisory 008 ------------------------------------------------------------------ -= Asp Chat ( chat.asp ) =- morning_wood June 16, 2003 exploitlabs.com Vunerability(s): ---------------- 1. .ASP XSS / JS Injection alot more im sure... Product: -------- AspChat http://www.123apps.net/page.asp?page=aspchat Description of product: ----------------------- ASP Chat - Freeware "Web based chat application with user friendly interface. Easy to install just copy to your folder where you want to use it. No database and no components needed. Download and use it for free." Download: http://download.123apps.net/files/aspchat.zip <-- dont work http://www.zone-h.org/download/file=2848/ VUNERABILITY / EXPLOIT ====================== Remote: ------- yup poc code here... this is a direct rip of the login page, ------------ snippy -------------------
Type nickname

ASP Chat by 123apps.net ----------- end snippy --------------- as we can see by the poc script there is no length checking on the login. the login name ( or script from poc )is "pushed" into chat as the user name, rendering XSS and remote includes by way of... or whatever have you. all users are affected by this that are currently logged in or log in later as there is some "persistance" as this... http://www.123apps.net/demo/aspchat/ or http://www.123apps.net/demo/aspchat/chat.asp shows. the depth of this has not been fully exploited, I leave it to the vendor to fix ASAP. oh... you can chat normaly and then decide to "throw" urls or bad js at people ... i got bored real fast with that. Vendor Fix: ----------- No fix on 0day Vendor Contact: --------------- info@123apps.net - Concurrent with this advisory Credits: -------- morning_wood http://exploitlabs.com "were finding your holes" morning_wood@frame4.com - get tested ---------------------------------------- be a good vendor... test your products first, it is your problem, fix it. http://nothackers.org - it's t0day