https://cxsecurity.com/issue/WLB-2007100125
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-480

webcamXP1.02.432和1.02.535版本存在跨站脚本（XSS）漏洞。远程攻击者可以借助信息字段注入任意web脚本或HTML。

========================================================================
===

====

FRAME4 SECURITY ADVISORY [FSA-2003:002]

------------------------------------------------------------------------
---

----

PRODUCT            : WebcamXP

PRODUCT/VENDOR URL : http://www.darkwet.net/

TYPE               : Vulnerability / Exploit

IMPACT             : Medium

SUMMARY            : Code Injection Vulnerabilities in WebcamXP Chat

Feature

DISCOVERY DATE     : 00/03/2003

PUBLIC RELEASE     : 02/05/2003

AFFECTED VERSION(S): All (as of discovery date)

FIXED VERSION(S)   : None

VENDOR NOTIFIED    : Yes

------------------------------------------------------------------------
---

----

BACKGROUNDER:

Vendor web site states that WebcamXP is a "powerful webcam utility with an

integrated http server so you don't need to install a web server on your

computer. Works under all windows os and the server port can be changed."

INTRODUCTION:

We have discovered various code injection vulnerabilities in the chat

feature

of WebcamXP.

ADVISORY URL:

This advisory is available in its original format at the following URL:

http://www.frame4.com/content/advisories/FSA-2003-002.txt

VENDOR CONTACT:

We have emailed the creator of the program, "wet", on wet (at) darkwet (dot) net [email concealed] with

the

specifics of this vulnerability on the release date of this advisory.

VULNERABILITY DESCRIPTION:

Please refer to the 'Technical Description' section below, for full

description

of the problem(s).

VULNERABLE APPLICATION(S)/PACKAGE(S)/VERSION(S):

We have tested these vulnerabilities between two versions; v1.02.432 and

the

latest build, v1.02.535. Whereas the chatbox feature on the application

side

seems to be pretty immune to code injection (MOST code gets stripped), the

web

page portion is far from being safe.

Although the tests have been carried out between two builds of the

program, it

is highly possible that other versions behave the same way. The tests were

only

carried out using Microsoft Internet Explorer.

SOLUTION/VENDOR INFORMATION/WORKAROUND:

None as yet. Although recently the server portion of the chat feature has

been

upgraded (where certain tags get filtered), the problems still seem to

exist.

TECHNICAL DESCRIPTION - EXPLOIT/CONCEPT CODE:

The below examples are merely a small portion of what could be possible

and in

no way constitute an exhaustive list of potential vulnerabilities.

[001] Code Injection 1

We have ascertained that typing <script>alert(document.cookie);</script>

in the

message field on the web page generates a message box whereas this should

be

ignored. You can see an actual screen shot of this at the following URL:

http://www.frame4.com/content/advisories/FSA-2003-002-01.jpg

[002] Code Injection 2

Following on from the previous example, we have also noticed that in a

similar

manner, an IFRAME can be generated by simply typing the

following 'command' in

the message field: <iframe src="http://frame4.com"></iframe>. You can find

the

relevant screen shots of this 'feature' at the following URLs:

http://www.frame4.com/content/advisories/FSA-2003-002-01.jpg

http://www.frame4.com/content/advisories/FSA-2003-002-02.jpg

http://www.frame4.com/content/advisories/FSA-2003-002-03.jpg

[003] Code Injection 3

This is the "showstopper". We have discovered that the IFRAME can

be "pushed"

onto the chat initiator in the same fashion. In this case, a webcam

operator

for example, can inject a script "out" to the user via the internal chat

box.

A screen shot of this problem can be seen here:

http://www.frame4.com/content/advisories/FSA-2003-002-04.jpg

[004] "Malformed Code" Injection

Whereas the command <iframe src="http://frame4.com"></iframe> creates a

perfect

IFRAME (see above), if we issue (by accident) the same command in

the "wrong"

manner, i.e.:

<script>alert(document.cookie);</script><iframe

src=http://frame4.com</iframe>

the page goes into some kind of 'loop'. The message box gets generated and

then

we DO get an IFRAME (and rightly, you get an 404 as the content) but the

scroll

bars disappear and the page just stops responding.

Closing the browser and re-opening at the chat URL has absolutely no

effect, as

the above loop gets repeated and the situation does not change until the

other

party resets or refreshes their page. A screen shot of this problem can be

seen

here: http://www.frame4.com/content/advisories/FSA-2003-002-05.jpg

CREDITS:

The vulnerabilities outlined in this advisory and accompanying sample code

have

been discovered by a joint operation between Morning Wood and Anthony

Aykut. We

have NOT circulated any of our findings through the underground community,

and,

present them here as a PUBLIC DISCLOSURE.

Morning Wood

morning_wood (at) thepub.co (dot) za [email concealed]

Morning Wood, Inc

http://take.candyfrom.us/

Anthony Aykut

anthony.aykut (at) frame4 (dot) com [email concealed]

Frame4 Security Systems

http://www.frame4.com

REFERENCES:

None.

ABOUT:

Frame4 Security Systems is a new security partner, empowering clients with

the

necessary knowledge and products to protect and secure their computer

systems.

Headquartered in The Netherlands, Frame4 can be reached at +31(0)172-

515901 or

on the Web at http://www.frame4.com/.

DISCLAIMER:

This advisory is a Frame4 Security Systems ("Frame4") publication, all

rights

reserved (c) 2003. You may (re-)distribute the text as long as the content

is

not changed in any way and with this header text intact. If you want to

serve

this paper on your web site/FTP/Newsgroup/etc., we encourage you to do so,

as

long as no changes are made without the prior permission of the author(s),

no

fees are charged and proper credit is given.

IMPORTANT -- THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. To the

maximum

extent permitted by applicable law, in no event shall Frame4 Security

Systems

be liable for any damages whatsoever, (including, without limitation,

damages

for loss of any business profits, business interruption, loss of any

business

information, or other pecuniary loss) arising out of the use, or inability

to

use any software, and/or procedures outlined in this document, even if

Frame4

Security Systems has been advised of the possibility of such damage(s).

There

are NO warranties with regard to this information.

This advisory is the property of Frame4 Security Systems, all rights

reserved.

Copyright (c) 1999-2003 Frame4 Security Systems -- http://www.frame4.com/

========================================================================
===

====

来源:XF
名称:webcamxp-multiple-xss(11952)
链接:http://xforce.iss.net/xforce/xfdb/11952
来源:BID
名称:7490
链接:http://www.securityfocus.com/bid/7490
来源:BUGTRAQ
名称:20030502CodeInjectionVulnerabilitiesinWebcamXPChatFeature
链接:http://www.securityfocus.com/archive/1/320345
来源:www.frame4.com
链接:http://www.frame4.com/content/advisories/FSA-2003-002.txt
来源:SREASON
名称:3304
链接:http://securityreason.com/securityalert/3304