Members Popular Post iGuano Posted March 4, 2017 Members Popular Post Share Posted March 4, 2017 Responsible disclosure was attempted by contacting "info@xat.com" approx. 1 month ago, with no response, it is being disclosed on the forum. Upon clicking a youtube, photobucket and some other selected links, xat tries to embed the url in an iframe, appearing on the left. (as seen in picture below). Obviously this should be restricted to a whitelisted set of domains, and xat does attempt to do that, very poorly however. It is failing to properly validate domain names, allowing a specially crafted url to be embedded. In the case of photobucket, xat is simply checking if '.photobucket' is in the url. This is because photobucket has varying subdomains for different servers. They fail to take in consideration that a url could such as evil.com?.photobucket can be passed, the javascript still sees ".photobucket" so it believes that is the root domain, however it is just the url path. Lets see this in action, below is a POC. (Clicking the link, launches it open in the media app) And if I do this on a server of my control, I can simply access the web server access logs and view the victims IP address, referer and user agent information. Example log: [snip] - - [snip] "GET /?s10.photobucket.com/user/alsonwong/media/Astrophotos/th_Milky HTTP/1.1" 200 53797 "http://xat.com/[snip]" "Mozilla/5.0 [snip] "[leaked user IP]" The scary part is that if we are a moderator (required minimum rank to broadcast videos), we can broadcast this link, meaning the users don't even have to click the link for their information to be leaked. A good fix would be to properly parse the URL and ensure the root domain is a trusted domain (i.e: photobucket.com). Hopefully this report reaching a broader audience, will influence the administrators or appropriate staff to address this situation. This post is for educational purposes only. :-) 10 Link to comment Share on other sites More sharing options...
Advanced Members Paul Posted March 4, 2017 Advanced Members Share Posted March 4, 2017 @Admin Link to comment Share on other sites More sharing options...
Recommended Posts