AOH :: HP Unsorted L :: VA1307.HTM

LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities



LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities
LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities



Application: LooYu Web IM
Vendor: www.looyu.com 
Corporation: DuoYou, Inc.
Version: Latest: (19 SEP 2008) - Home Edition, Enterprise & Professional
Description: LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities

Background:
=============LooYu is a web-based group chat tool that lets invite a client,
colleague, or vendor to chat, and collaborate.

Vulnerability:
=============They do not properly sanitize the potentially malicious input content
to be rendered and, as a result, an attacker might provide malicious
HTML content as part of an IM message. There is a client-side only
input validation.

Exploit:
=============1. newVisitorChat.js

(1)function sendMessage() {
    ..................
    ..................
    save_message(replaceHtml(msg));
}

(2)function save_message(msg) {
	var m = msg;                          //BREAKPOINT
	for(var e in emots){
    	if(m.indexOf(e)!=-1){    	
    		m = m.replace(e,emots[e]);       			
    	}

    }
    addMsg_chat(m, "you"/*getShortId(visitorId)*/, "visitor",null,'send');
    ..................
    ..................
}
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:
msg = "" 


2. newCusChat.js

(1)function sendMessage() {
    ..................
    ..................
    save_message(replaceHtml(msg));
    ..................
    ..................
 }

(2)function saveMessage(msg) {
     showLocalMessage(msg);
     Chat.addMessage(companyId,currentVisitor.chatId,customerId,currentVisitor.getTar(),
msg,{callback:function(m){
     save_message_do(currentVisitor,m);              //BREAKPOINT
     }});
    }
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:
msg = "" 

========================xisigr[topsec]
xisigr@gmail.com 



-- 
----xisigr----

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.