# Easy Chat Server Multiple Vulnerabilities



## jgvernonco (Sep 13, 2003)

TITLE:
Easy Chat Server Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA12006

VERIFY ADVISORY:
http://secunia.com/advisories/12006/

CRITICAL:
Highly critical

IMPACT:
Cross Site Scripting, DoS, System access

WHERE:
From remote

SOFTWARE:
Easy Chat Server 1.x
http://secunia.com/product/3648/

DESCRIPTION:
Multiple vulnerabilities have been reported in Easy Chat Server,
allowing malicious people to cause a DoS (Denial of Service), conduct
cross-site scripting attacks, and potentially compromise a vulnerable
system.

1) A boundary error within the handling of usernames can be exploited
to cause a buffer overflow via an overly long string (about 300
bytes) passed to the "username" parameter in "chat.ghp".

Example:
http://[victim]/chat.ghp?username=[long_string]&password=&room=1&sex=0

Successful exploitation may allow execution of arbitrary code.

2) It is reportedly possible to crash the application by logging into
a room with a large number of users.

3) An input validation error within the handling of usernames can be
exploited to execute arbitrary HTML or script code in a user's
browser session in context of a vulnerable site by tricking the user
into visiting a malicious website or click a specially crafted link.

Example:
http://[victim]/chat.ghp?username=">

```
&password=&room=1&sex=0

The vulnerabilities have been reported in version 1.2. Prior versions
may also be affected.

SOLUTION:
Disable "guest" logins to all rooms, and disable the functionality
allowing guests to register a new account. Also, restrict access to
the service, allowing only trusted IP addresses to connect.

Use another product.

PROVIDED AND/OR DISCOVERED BY:
1+2) Donato Ferrante

ORIGINAL ADVISORY:
[url]http://www.autistici.org/fdonato/advisory/EasyChatServer1.2-adv.txt[/url]
```


----------

