Home page logo

bugtraq logo Bugtraq mailing list archives

ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability
From: G00db0y <G00db0y () zone-h org>
Date: 13 Aug 2003 16:03:33 -0000

ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability

Published: 13 august 2003

Released: 13 august 2003

Name: ChitChat.NET

Affected Systems: 2.0

Issue: Remote attackers can inject XSS script

Author: G00db0y () zone-h org

Vendor: http://clickcess.com/



Zone-h Security Team has discovered a flaw in ChitChat.NET v2.0 (and older 
"ChitChat.NET is an ASP.NET based discussion forum designed specifically 
for SQL Server." 


It's possibile to inject XSS script in the Name box and in the Topic Title 

For example try this:

Name: &lt;script&gt;alert(Zone-h1)&lt;/script&gt;

Email address: test () test com

Topic title: &lt;script&gt;alert(Zone-h)&lt;/script&gt;

Message: www.Zone-h.org



The vendor has been contacted and a patch was produced.



Filter the posting procedure.

G00db0y - www.zone-h.org admin

Original advisory here: http://www.zone-h.org/en/advisories/read/id=2882/

  By Date           By Thread  

Current thread:
  • ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability G00db0y (Aug 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]