Application: 53KF Web IM Vendor: www.53kf.com Corporation: LiuDu, Inc. Version: Latest: (19 JAN 2009) - Home Edition, Enterprise & Professional Description: 53KF Web IM 2009 Cross-Site Scripting Vulnerabilities Background: ============== 53KF is a web-based group chat tool that lets invite a client, colleague, or vendor to chat, and collaborate.More than 220,000 websites in the use of 53KF. Vulnerability: ============== They do not properly sanitize the potentially malicious input content to be rendered and, as a result, an attacker might provide malicious HTML content as part of an IM message. There is a client-side only input validation. Exploit: ============== 156function sendmsg() { 157 try{textCounter(document.getElementById("input1"),1000)}catch(e){} 158 msg=document.getElementById("input1").value; 159 if (msg.trim()=="") { 160 return; 161 } 162 msg=UBBEncode(msg); 163 document.getElementById("input1").value=""; 164 display_msg(""+infos[13]+": "+getTime2()+"
  "+UBBCode(msg.trim())); 165 try{msg=msgFilter(msg);}catch(e){} 166 if(usezzdy=="1"){ 167 var rmsg=sendtext(msg); 168 display_msg(""+infos[57]+":
  "+rmsg+""); 169 }else{ 170 if (typeof(rec_stat)!="undefined" && rec_stat==1){ 171 push_info("post","REC",mytempid,"11",UBBCode(msg.trim()),getTime()); 172 display_msg(""+infos[29]+":
  "+UBBCode(UBBEncode(lword_prompt))+""); 173 } 174 else{ 175 qstmsg(UBBCode(msg.trim())); 176 } 177 } 178 if (talk_fee_type==1) 179 { 180 talk_fee_type=0; 181 url="http://www.53kf.cn/v5_talk.php?talk_fee_type=1&arg="+arg+"&style="+style; 182 rpc(url); 183 } 184 185 if(istalktype==1) 186 { 187 istalktype=0; 188 url="http://www.53kf.cn/istalk.php?companyid="+company_id+"&istalk=1"; 189 rpc(url); 190 } 191} SET BREAKPOINT(firebug, etc) AT 164TH LINE, AND SET NEW VALUE: msg = "" ========================= xisigr[topsec] xisigr@gmail.com -- ----------------------------------------------------------------- NAME:xushaopei(xsp) ORG:Heart[T.P.S][F.S.T][J.I.C] QQ:9634989 EMAIL:xisigr@gmail.com BLOG:http://www.hackheart.com -----------------------------------------------------------------