Hi,
Our security team has found following security related issues in version 1.6.4.
a) Multiple XSS
Mibew messenger version 1.6.4 and below are vulnerable to XSS in the following areas :
-Input passed via the "address" and "threadid" POST parameters to /operator/ban.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
-Input passed via the "geolinkparams" POST parameter to /operator/settings.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
-Input passed via the "title" POST parameter to /operator/settings.php is not properly sanitised before being saved to database.
This input is returned to the Operator user without any check when a new chat window is open.
-Input passed via the "chattitle" POST parameter to /operator/settings.php is not properly sanitised before being saved to database.
This input is returned to the Visitor user without any check when a new chat window is open.
b) Cross Site Request forgery
A vulnerability in Mibew Messenger can be exploited by malicious people to conduct cross-site request forgery attacks.
The application's web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change an administrator's password and conduct script insertion attacks by tricking a logged in administrator into visiting a malicious web site.
The vulnerability is confirmed in version 1.6.4. Other versions may also be affected.
Please let us know if these can be closed.