Amish
16-07-2007 19:32:59
Vibe Streamserver is known to have an XSS bug located in it. Heres the details.
Make a new user, with the name of
[code37vc6hqa]<script>alert(document.cookie)</script>[/code37vc6hqa]
And the password anything.
Then log into the account using the username and password.
Next click whos online. And there you go, a nice XSS exploit.
[img37vc6hqa]http://img254.imageshack.us/img254/7594/sdfdsfdsfsbk6.jpg[/img37vc6hqa]
Yeah I know this isnt useful, becuase you have to log in with the user, but still. Its there and should be fixed.
Have fun. Peace
~Amish
hmm, I'm not sure that I see the real problem here.
First of all you have to have access to the server in order to create a user with that script as a name. Secondly, what you display with the alert is the session id of the current user you're logged on as, not the session id of the other users... so it's no real interesting information really.. and third, the session variable uses both IP and server/client cookie to recognize the user as logged on.
But maybe I don't understand the problem entirely?
Amish
18-07-2007 19:53:53
siit, yeah i said it wasnt useful. But its an exploit none the less.
Just saying that it shoudl be fixed int he newer version
Hows that coming my the way??
Peace
It's moving forward. I don't wanna give out the story now when it's too early, but I can tell you that I've spent loads of days and nights of my summer vacation time on the next version.
At the moment I've got one final, rather big, addition to vibe stremer that I'm hoping to be able to go through with. When that's worked out I'll give you all the entire story and then, hopefully soon, go into an early alpha stage for the next version.. so even though it's been some time, vibe stremaer hasn't stopped, that's one thing I know for sure ]
Amish
23-07-2007 22:19:50
Ahhhh wooo thats great man, I should donate MORE money.
As should everyone else
Peace Bro
~Amish