Secure Science Corporation Application Software Advisory 055

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Secure Science Corporation Application Software Advisory 055
From: SSC Advisory Notice <bugtraq@xxxxxxxxxxxxxxxxx>
Date: Wed, 20 Apr 2005 09:32:09 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Secure Science Corporation
User-agent: Mozilla Thunderbird 0.8 (X11/20040913)

Please see attached Advisory.


Secure Science Corporation
securescience.net
bugtraq@xxxxxxxxxxxxxxxxx

Secure Science Corporation Advisory ASA-055
http://www.securescience.net
e-response@xxxxxxxxxxxxxxxxx
877-570-0455

---------------------------------------------------------

PHPROJEKT 4.2 Chatroom is vulnerable to Cross-Site Scripting (XSS) attacks
allowing a "broadcast" attack to users in the chatroom. 

---------------------------------------------------------------------

Vulnerability Classification: Cross-Site Scripting, Arbitrary browser control,
"broadcast" attack.

Discovery Date: April 10, 2005
Vendor Contacted: April 14, 2005
Advisory publication date: April 20, 2005


Abstract:
---------
PHPROJEKT <= 4.2 allow XSS attacks in the chatroom via the text submission form.
This enables all viewers of the chat present and future to be exploited via 
arbitrary commands inputted via the attacker. Such attacks "broadcast" 
every 20 seconds based on the "refreshing" of content and set static 
in the chatroom html. 

Description:
------------
During a recent evaluation of PHPROJEKT 4.2, the chatroom text submission was
found to allow html tags including "<>" thus enabling a XSS attack against
users in the chatroom. The nature of a chatroom allows all parties to see 
live messages publicly in "real time" so an XSS attack will be broadcasted
to all users receiving messages. Also noted is that the chat forum holds static
content for users to come back and review the messages. Essentially if a user 
decides to enter the targeted chatroom, the XSS attack will successfully 
execute 
immediately whether or not there is a live chat session in progress. 

The ease of attack is implemented merely from typing your attack in the test
submission form and waiting for a refresh to occur. Once this is performed,
arbitrary code that was submitted by the user will be executed and sent to
all viewing browsers.

Tested Vendors:
---------------
PHPROJECT 4.2

Vendor and Patch Information:
-----------------------------
Secure Science Corporation has submitted this to PHPROJEKT and has received no 
response to date.
Due to the importance of the situation it has been posted to bugtraq. 

Solution:
---------
Require input validation on unnecessary fields.

Credits: 
--------
Secure Science Corporation

Disclaimer:
----------- 
Secure Science Corporation is not responsible for the misuse of any of the 
information we
provide on this website and/or through our security advisories. Our
advisories are a service to our customers intended to promote secure
installation and use of Secure Science Corporation products.

Prev by Date: [OpenPKG-SA-2005.006] OpenPKG Security Advisory (mysql)
Next by Date: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Previous by thread: [OpenPKG-SA-2005.006] OpenPKG Security Advisory (mysql)
Next by thread: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Index(es):
- Date
- Thread