BlastChat Chat Client 3.3 Cross Site Scripting

`==========================================================================================  
BlastChat Chat Client Component version 3.3 <= Cross Script Scripting  
(XSS) Vulnerability  
==========================================================================================  
  
  
1. OVERVIEW  
  
The BlastChat's chat client Component of Joomla 1.x, Joomla 1.5.x,  
Mambo 4.5, Mambo 4.6, Drupal 6  
was vulnerable to Cross Script Scripting (XSS) Vulnerability.  
  
  
2. PRODUCT DESCRIPTION  
  
The BlastChat Chat Client Component is a widely-used Blastchat chat  
client component designed for website communities  
from the smallest personal websites to the huge megasites who desire  
to provide their members and visitors  
with a superb chat experience. The client chat component is available  
in multiple CMSes including  
Joomla 1.x, Joomla 1.5.x, Mambo 4.5, Mambo 4.6, and Drupal 6.  
BlastChat has currently been serving chat to over 50.000+ websites.  
  
  
3. VULNERABILITY DESCRIPTION  
  
The BlastChat's chat client Component does not properly escape  
"Itemid" parameter, which leads to Cross Site Scripting vulnerability.  
For more information about this kind of vulnerability, see OWASP Top  
10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During  
Web Page Generation ('Cross-site Scripting').  
  
  
4. VERSIONS AFFECTED  
  
Versions: 3.3 and lower  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
URL: /index.php?option=com_blastchatc&Itemid=-999  
Affected Parameter: Itemid  
  
http://yehg.net/lab/pr0js/advisories/joomla/com_blastchatc_xss(Itemid).jpg  
  
  
6. IMPACT  
  
As this is a multi-user chat application "component", the impact of  
XSS is huge, ranking from cookie theft to mass client exploits.  
  
  
7. SOLUTION  
  
Upgrade to version 3.4  
  
  
8. VENDOR  
  
Blastchat  
http://www.blastchat.com  
  
  
9. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
10. DISCLOSURE TIME-LINE  
  
08-11-2010: discovered vulnerability  
08-11-2010: notified vendor  
08-11-2010: vendor fixed vulnerability  
08-14-2010: vendor released patched version - 3.4  
08-26-2010: vulnerability disclosed  
  
  
11. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/joomla/[com_blastchatc]_cross_site_scripting  
What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf  
XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml  
XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting  
XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  
CWE-79: http://cwe.mitre.org/data/definitions/79.html  
  
#yehg [08-26-2010]  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
  
`