BID:9823

LionMax Software Chat Anywhere User IP Address Obfuscation Vulnerability

Info

LionMax Software Chat Anywhere User IP Address Obfuscation Vulnerability

Bugtraq ID:	9823
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 09 2004 12:00AM
Updated:	Mar 09 2004 12:00AM
Credit:	The disclosure of this issue has been credited to Luigi Auriemma <[email protected]>.
Vulnerable:	LionMax Software Chat Anywhere 2.72

Not Vulnerable:	LionMax Software Chat Anywhere 2.72 a

Discussion

LionMax Software Chat Anywhere User IP Address Obfuscation Vulnerability

It has been reported that Chat Anywhere may be prone to a user IP address obfuscation vulnerability that may allow an attacker to hide their IP address from the administrator. The issue presents itself if an attacker uses '%00' characters at the beginning of their nickname. Due to this, it may not be possible to ban or remove abusive users from a chat room.

Chat Anywhere 2.72 and prior are reported to be affected by this issue.

Exploit / POC

LionMax Software Chat Anywhere User IP Address Obfuscation Vulnerability

This issue does not require an exploit.

A proof of concept can be obtained from the following location:
http://aluigi.altervista.org/poc/ca-ghost.htm

Solution / Fix

LionMax Software Chat Anywhere User IP Address Obfuscation Vulnerability

Solution:
The vendor has released Chat Anywhere 2.72a to address this issue. Users are advised to upgrade to the new version.

References

LionMax Software Chat Anywhere User IP Address Obfuscation Vulnerability

References:

Chat Anywhere Product Page (LionMax Software)
Ghost users in Chat Anywhere 2.72 (Luigi Auriemma )