SandSprite Chat Server Script Injection

2003-08-08T09:30:56
ID OSVDB:2402
Type osvdb
Reporter OSVDB
Modified 2003-08-08T09:30:56

Description

Vulnerability Description

SandSprite Chat Server contains a flaw that allows an attacker to send malicious HTML script through a chat session which will be executed by all participants. The issue is due to improper filtering of chat text. This could allow a user to create a specially crafted text block that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

SandSprite Chat Server contains a flaw that allows an attacker to send malicious HTML script through a chat session which will be executed by all participants. The issue is due to improper filtering of chat text. This could allow a user to create a specially crafted text block that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.sandsprite.com Secunia Advisory ID:9502 Other Advisory URL: http://exploitlabs.com/files/advisories/EXPL-A-2003-019-chatserver.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-08/0109.html ISS X-Force ID: 12863 Bugtraq ID: 8383