53KF Web IM 2009 Cross-Site Scripting Vulnerabilities

2009.01.19
Credit: Heart
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Application: 53KF Web IM Vendor: www.53kf.com Corporation: LiuDu, Inc. Version: Latest: (19 JAN 2009) - Home Edition, Enterprise & Professional Description: 53KF Web IM 2009 Cross-Site Scripting Vulnerabilities Background: ============== 53KF is a web-based group chat tool that lets invite a client, colleague, or vendor to chat, and collaborate.More than 220,000 websites in the use of 53KF. Vulnerability: ============== They do not properly sanitize the potentially malicious input content to be rendered and, as a result, an attacker might provide malicious HTML content as part of an IM message. There is a client-side only input validation. Exploit: ============== 156function sendmsg() { 157 try{textCounter(document.getElementById("input1"),1000)}catch(e){} 158 msg=document.getElementById("input1").value; 159 if (msg.trim()=="") { 160 return; 161 } 162 msg=UBBEncode(msg); 163 document.getElementById("input1").value=""; 164 display_msg("<font color=\"#666666\">"+infos[13]+": "+getTime2()+"</font><br>&nbsp;&nbsp;"+UBBCode(msg.trim())); 165 try{msg=msgFilter(msg);}catch(e){} 166 if(usezzdy=="1"){ 167 var rmsg=sendtext(msg); 168 display_msg("<font color=\"#666666\">"+infos[57]+":</font><br>&nbsp;&nbsp;<font color=\"#0000CE\">"+rmsg+"</font>"); 169 }else{ 170 if (typeof(rec_stat)!="undefined" && rec_stat==1){ 171 push_info("post","REC",mytempid,"11",UBBCode(msg.trim()),getTime()); 172 display_msg("<font color=\"#666666\">"+infos[29]+":</font><br>&nbsp;&nbsp;<font color=\"#0000CE\">"+UBBCode(UBBEncode(lword_prompt))+"</font>"); 173 } 174 else{ 175 qstmsg(UBBCode(msg.trim())); 176 } 177 } 178 if (talk_fee_type==1) 179 { 180 talk_fee_type=0; 181 url="http://www.53kf.cn/v5_talk.php?talk_fee_type=1&arg="+arg+"&style="+style; 182 rpc(url); 183 } 184 185 if(istalktype==1) 186 { 187 istalktype=0; 188 url="http://www.53kf.cn/istalk.php?companyid="+company_id+"&istalk=1"; 189 rpc(url); 190 } 191} SET BREAKPOINT(firebug, etc) AT 164TH LINE, AND SET NEW VALUE: msg = "<iframe width=800 height=600 src='http://WWW.g.cn'></iframe>" ========================= xisigr[topsec] xisigr_at_gmail&#46;com

References:

http://xforce.iss.net/xforce/xfdb/48096
http://www.securityfocus.com/bid/33341
http://www.securityfocus.com/archive/1/archive/1/500169/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top