Adventia Chat Server Pro 3.0 suffers from cross site scripting flaw.
f5be810e51ce7ac691078c31fe2d121af2db6850a6b2fbc89c05a553bf3508c8------------------------------------------------------------
- EXPL-A-2005-003 exploitlabs.com Advisory 032 -
------------------------------------------------------------
- Adventia Chat -
OVERVIEW
========
Adventia Chat Server Pro 3.0 is an ASP program that allows
you to easily add multiple HTML-only chat rooms to your site,
transforming your web site or intranet into a dynamic and
successful online community comprised of customers, users,
suppliers or employees.
AFFECTED PRODUCTS
=================
Adventia Chat 3.1
Chat Server Pro 3.0
http://www.adventia.com/
DETAILS
=======
Adventia Chat has HTML code enabled by default, allowing all static
and remote XSS to be inserted in the chat space. This causes XSS in all
chat users browsers. ( including cookie theft and session spooofing )
As well, the entered text is of a persistant nature, allowing for
exploitation after the attacker has left the chat application.
This could also be used as an attack vector for "pushing" code
to exploit users using the latest browser exploits.
SOLUTION
========
none
1st contact: March 16, 2005 ( no reply )
PROOF OF CONCEPT
================
none ( just enter any xss style text )
demo url: http://www.adventia.com/cgi-bin/chatpro/login.asp
CREDITS
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs
web: http://exploitlabs.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed