####################################################################### Luigi Auriemma Application: Chat Anywhere http://www.lionmax.com/chatanywhere.htm Versions: <= 2.72 Platforms: Windows Bug: users cannot be banned or kicked Risk: low Exploitation: remote, via browser Date: 09 Mar 2004 Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Chat Anywhere is a web chat server allowing multiple chat rooms accessible via browser. It supports also remote administration via web. ####################################################################### ====== 2) Bug ====== Using %00 before the nickname the user is able to hide himself to the administrator. Practically the admin cannot see the user's IP address in the administration web page because it is substituited by the text $IP$. This problem avoids the banning and the kicking of the user so the admin has no control over him. ####################################################################### =========== 3) The Code =========== I have created a simple html file that sends %00 in plain-text because almost all the browsers sends it encoded as %2500: http://aluigi.altervista.org/poc/ca-ghost.htm ####################################################################### ====== 4) Fix ====== Version 2.72a ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org