Denial Of Service in ChatterBox 2.0

2004-02-03T00:00:00
ID SECURITYVULNS:DOC:5701
Type securityvulns
Reporter Securityvulns
Modified 2004-02-03T00:00:00

Description

                       Donato Ferrante

Application: ChatterBox http://www.urbancities.net/burton/

Version: 2.0

Bug: Denial Of Service

Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  1. Description
  2. The bug
  3. The code
  4. The fix

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


1. Description:

Vendor's Description:

"ChatterBox is a multiple client, single server graphical chat program written in Java using Swing. Some basic features include sending private messages, kicking users (server only), and obtaining IP information on users (server only). It runs on any operating system supporting Java 1.3."

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


2. The bug:

ChatterBox is not able to manage irregular requests in fact it will crash.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


3. The code:

To test the vulnerability simply send to the chat server a string like:

"aaaaaa"

and the chat server will go down.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


4. The fix:

Vendor was contacted. Bug will be probably fixed in the next version of ChatterBox, so go on the ChatterBox's official website: http://www.urbancities.net/burton/ and check for a new version.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx