Jump to content
Sign in to follow this  
iGuano

Vulnerability on xatradio.com / xat's group pages and xatspaces.

Recommended Posts

22 minutes ago, Lamingtons said:

Thank you for the report. It was fixed if you have future issues with xatRadio try to contact us via http://xatproject.com/support/.

 

Good job.  Thanks I'll notify xatradio.com specific vulnerabilities there from now on.

26 minutes ago, Lamingtons said:

Thank you for the report. It was fixed if you have future issues with xatRadio try to contact us via http://xatproject.com/support/.

 

On second-glance, it appears you have published an incomplete fix.

I notice you now no longer allow a path (/x.png) in the 'ip' parameter, however if I simply put the domain itself without the path it still works).

 

In this case, all I would have to do is have my domain automatically redirect to the png file and it would still work.

This is still fully exploitable.

  • Like 1

Share this post


Link to post
Share on other sites
6 minutes ago, iGuano said:

 

Good job.  Thanks I'll notify xatradio.com specific vulnerabilities there from now on.

 

On second-glance, it appears you have published an incomplete fix.

I notice you now no longer allow a path (/x.png) in the 'ip' parameter, however if I simply put the domain itself without the path it still works).

 

In this case, all I would have to do is have my domain automatically redirect to the png file and it would still work.

This is still fully exploitable.

 

No, you can't, only whitelisted URLs will work. It will display BlockedDomain.

Share this post


Link to post
Share on other sites
3 minutes ago, Lamingtons said:

No, you can't, only whitelisted URLs will work. It will display BlockedDomain.

 

Yes but I can supply my server IP, not needing a domain at all.

So whitelisting URLS doesn't make a difference.

 

For example, xatradio.com/html5.php?ip=127.0.0.1&port=80&extra=/;stream.mp3

  • Like 4

Share this post


Link to post
Share on other sites
1 hour ago, iGuano said:

 

Yes but I can supply my server IP, not needing a domain at all.

So whitelisting URLS doesn't make a difference.

 

For example, xatradio.com/html5.php?ip=127.0.0.1&port=80&extra=/;stream.mp3

 

Ok, thank you again. We're working on it will be fixed.

Share this post


Link to post
Share on other sites
6 hours ago, Lamingtons said:

Ok, thank you again. We're working on it will be fixed.

 

Good job, that second fixed seems to have done the trick.  I have to pop out, but I'll have another look later and see if it is still vulnerable.

Share this post


Link to post
Share on other sites
10 hours ago, Lamingtons said:

Ok, thank you again. We're working on it will be fixed.

 

I've had a look at your second fix.

This time it seems you now block all mime types except "audio/mpeg".  However the IP leakage issue is still present.

 

You would have to actually proxy the stream through your server to avoid this issue, maybe it is a risk xat is willing to take.

 

I created another quick POC, I'll post it below:

 

index.php

<?php
header('Content-Type: audio/mpeg');
?>

 

Now that I've bypassed the mime type blocking, I can still log IP addresses.

 

Server log

[leaked victim ip] - - [04/Mar/2017] "GET /;stream.mp3 HTTP/1.1" 200 15 "http://chatsgroup.com/web_gear/chat/media.php?d=[snip]&p=0&id=[snip]" "Mozilla/5.0 [snip]

 

You can make use of the proxy_pass feature in Nginx to achieve this.  

  • Like 1

Share this post


Link to post
Share on other sites
13 minutes ago, Lolppl said:

Well I thought xat was against stuff like this, always putting users at risk.

 

I believe there is a fix in progress for this one.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.