Syhunt: MyCyberTwin Multiple Cross-Site Scripting Vulnerabilities Advisory-ID: 200703041 Discovery Date: 4.3.2007 Release Date: 4.24.2007 Affected Applications: MyCyberTwin service Class: Cross-Site Scripting (Cookie-Theft), HTML Injection Status: Unpatched/Vendor informed Vendor: MyCyberTwin Vendor URL: http://www.mycybertwin.com/ ---------------------------------------------------------------- Overview: MyCyberTwin is a website that allows users to develop virtual personalities/bots called "cybertwins". The MyCyberTwin website informs that 6483 bots were already created. MyCyberTwin also says that the service is still alpha. Description: MyCyberTwin service is vulnerable to cross-site scripting (XSS) and HTML injection. Input passed directly to the "message" parameter is not properly sanitised before being returned to the user. It is also possible to inject code in the bot profile. Since profile info is also displayed in user galleries and the main web page, this vulnerability can make a large number of users an easy target. The vulnerability can be exploited to execute arbitrary HTML code and script code in the user's browser session. It is even possible to create a fake index/login page at the main web site page at: http://mycybertwin.com ---------------------------------------------------------------- Details: 1) Message param XSS http://mycybertwin.com/message.jsp?nextpage=/index.jsp&message= <script>alert(document.cookie);</script> 2) Profile XSS It is possible to inject html/script code in the "Display name" field or the "City" field in the myhome.jsp page (http://mycybertwin.com/myhome.jsp). The injected code will be displayed at: http://mycybertwin.com/chat/[botname] and http://mycybertwin.com/viewmycybertwins.jsp and in the main web site page at: http://mycybertwin.com 3) Conversation page XSS When you start a conversation with a bot, your name is asked and the bot creator is informed about it. If you provide html code as a name, it will be displayed in the conversations page (at: http://mycybertwin.com/myconversations.jsp) ---------------------------------------------------------------- Vulnerability Status: MyCyberTwin was notified, but no reply has been received and apparently no measures were taken. ---------------------------------------------------------------- Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes. Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory. --- Credit: Alec Storm, Syhunt Security Research Team, www.syhunt.com
This archive was generated by hypermail 2.1.3 : Tue Apr 24 2007 - 14:15:08 PDT