Cross-site Scripting (XSS) Vulnerability in Happy Chat

2011-05-17T00:00:00
ID HTB23001
Type htbridge
Reporter High-Tech Bridge
Modified 2011-05-17T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered vulnerability in Happy Chat which could be exploited to perform cross-site scripting attacks.

1) Cross-site scripting (XSS) vulnerability in Happy Chat
The vulnerability exists due to input sanitation error in the "nick" parameter in profilo.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/profilo.php?nick=%22%3E%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E