Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by iGuano

  1. Admins won't spend time on anything that's not making them money, hence the 1000 xat administration fee. It would take all of 20 minutes to completely implement and test a "change e-mail feature" and its a disgrace that it isn't an option. This is just another example of xat are lacking the most basic of features, and this is why xat is declining over the past couple of years. Volunteers do a surprisingly good job considering the poor quality and lack of tools given to them.
  2. Hello, The "New Ticket" page actually uses your xat.com login cookies to log you in. You will need to login at xat.com/login so the ticket system can automatically pick up your username. Note: If the ticket was opened via e-mail, please use the link sent to the relevant e-mail.
  3. When you loan your powers out, you are doing so at your own risk. xat strongly advises against this. There is nothing we can do for you on the forum, you will have to wait for your ticket to be dealt with. Also, could you please take out the other user's cell phone number for their privacy?
  4. Sorry for the late update, I've been quite busy. The generator has been made more intuitive, it should be easier to use now. I have also added the new extra options for xat chats, and added some additional options for youtube.
  5. It seems xat is forcing crossdomain.xml to be requested over HTTP, via the chat.swf client. You will have to stop using SSL for the time being or wait until xat pushes a fix, if you want to avoid this error. Note: Your site isn't any less safe due to xat requesting crossdomain.xml via HTTP (the request is actually being blocked). It just means some functionality may stop working (whatever the requested links are being used for).
  6. Tell your friend to clear their local storage (as if you were making a new ID, drag the bar to zero kb) and then clear their cache and cookies again. Make sure to close all chat tabs.
  7. The generator also now automatically gets xat chat IDs. (you now only have to enter the chat name)
  8. Multi-lingual support has been added! Now you can use the generator in over 90 languages:
  9. Good job. By the way, there seems to be a typo on the "custom fonts" section:
  10. I really don't mind, I created it for people to use.
  11. Support for "bubble shooter game" has been added. Try it out here: http://xat-res.info/sc/
  12. Thanks, hope it helps.
  13. As many of you know, xat has recently removed support for the embed tag (for security reasons), and has introduced BBcodes. This change over has been affecting many people, and it can be confusing to understand at first. So I've created a little tool that does it for you automatically! All feedback is appreciated, any suggestions or bugs, let me know and I'll get on it as soon as I can. Link to generator: http://xat-res.info/sc/
  14. It was working at the time of writing, your latest patch must of fixed it. Good job. On another note, password reset tokens don't expire after use.. you should fix that.
  15. Good job on fixing it so fast! However, I've bypassed it again. PM'd you the details.
  16. Note: The HTML5 player has been temporarily disabled by xatradio.com, while they patch another vulnerability.
  17. It appears their latest fix is blocking innocent radio stations. I'll try notify them for you.
  18. I believe there is a fix in progress for this one.
  19. I've had a look at your second fix. This time it seems you now block all mime types except "audio/mpeg". However the IP leakage issue is still present. You would have to actually proxy the stream through your server to avoid this issue, maybe it is a risk xat is willing to take. I created another quick POC, I'll post it below: index.php <?php header('Content-Type: audio/mpeg'); ?> Now that I've bypassed the mime type blocking, I can still log IP addresses. Server log [leaked victim ip] - - [04/Mar/2017] "GET /;stream.mp3 HTTP/1.1" 200 15 "http://chatsgroup.com/web_gear/chat/media.php?d=[snip]&p=0&id=[snip]" "Mozilla/5.0 [snip] You can make use of the proxy_pass feature in Nginx to achieve this.
  20. Good job, that second fixed seems to have done the trick. I have to pop out, but I'll have another look later and see if it is still vulnerable.
  21. Yes but I can supply my server IP, not needing a domain at all. So whitelisting URLS doesn't make a difference. For example, xatradio.com/html5.php?ip=;stream.mp3
  22. Good job. Thanks I'll notify xatradio.com specific vulnerabilities there from now on. On second-glance, it appears you have published an incomplete fix. I notice you now no longer allow a path (/x.png) in the 'ip' parameter, however if I simply put the domain itself without the path it still works). In this case, all I would have to do is have my domain automatically redirect to the png file and it would still work. This is still fully exploitable.
  23. I assume they are working on fixing the vulnerability, not sure why they would have to disable the whole site. The error "500 Internal Server Error" suggests there is an error in the coding, probably a typo. I'd say it will be back up shortly.
  24. Hello again, I'm assuming this is the correct place to report these vulnerabilities, as contacting the default e-mail "info@xat.com" failed, and the support system seems to be for paying customers only. This time the vulnerability actually lies in the "xatradio.com" domain, however it is affecting xat due to xat trusting this url and having it whitelisted. The vulnerable is endpoint /html5.php, the intended functionality of this is to act as a proxy between xat's users and your radio server. However, it seems the endpoint is simply redirecting to the supplied IP address or domain. Due to the behaviour of this, we can craft a malicious url to embed content from another domain, rendering xat's url filter useless as it is proxying through the trusted domain "xatradio.com". Lets get down to the POC, as you can see below, I have created an "<img" tag and set the src attribute to "xatradio.com/html5.php?ip=i.imgur.com/9r6tkfl.png&port=80&extra=/;stream.mp3". This is exactly the same as just setting the src attribute to i.imgur.com/9r6tkfl.png, however xat wouldn't let you do that as the domain is not trusted. Luckily xatradio.com is. So with this vulnerability, we can use any malicious url in xat's group editing and xatspace editing features, linkvalidator and some other xat features that only allow trusted urls. View the below image as a proof of concept. As you can see, I've embedded an image from my own domain below the chat. xat wouldn't usually allow us to do this (only allow tinypic, imgur and other trusted domains). Here is also an access log from the server. [snip] - - [04/Mar/2017 snip] "GET /bioxshotevil.jpg?:80/;stream.mp3 HTTP/1.1" 200 48198 "-" "Mozilla/5.0 [snip]" "[leaked victim IP]" A good fix here would be for xat to block redirects from external domains or xatradio.com to fix the vulnerable endpoint.
  25. Responsible disclosure was attempted by contacting "info@xat.com" approx. 1 month ago, with no response, it is being disclosed on the forum. Upon clicking a youtube, photobucket and some other selected links, xat tries to embed the url in an iframe, appearing on the left. (as seen in picture below). Obviously this should be restricted to a whitelisted set of domains, and xat does attempt to do that, very poorly however. It is failing to properly validate domain names, allowing a specially crafted url to be embedded. In the case of photobucket, xat is simply checking if '.photobucket' is in the url. This is because photobucket has varying subdomains for different servers. They fail to take in consideration that a url could such as evil.com?.photobucket can be passed, the javascript still sees ".photobucket" so it believes that is the root domain, however it is just the url path. Lets see this in action, below is a POC. (Clicking the link, launches it open in the media app) And if I do this on a server of my control, I can simply access the web server access logs and view the victims IP address, referer and user agent information. Example log: [snip] - - [snip] "GET /?s10.photobucket.com/user/alsonwong/media/Astrophotos/th_Milky HTTP/1.1" 200 53797 "http://xat.com/[snip]" "Mozilla/5.0 [snip] "[leaked user IP]" The scary part is that if we are a moderator (required minimum rank to broadcast videos), we can broadcast this link, meaning the users don't even have to click the link for their information to be leaked. A good fix would be to properly parse the URL and ensure the root domain is a trusted domain (i.e: photobucket.com). Hopefully this report reaching a broader audience, will influence the administrators or appropriate staff to address this situation. This post is for educational purposes only. :-)
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.