Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Instant Messaging/IRC/Chat)  >   Chat Anywhere Vendors:   LionMax Software
Chat Anywhere Can Be Crashed By Remote Users With Specially Crafted Username
SecurityTracker Alert ID:  1011080
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2004
Impact:   Denial of service via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.72a
Description:   Donato Ferrante reported a vulnerability in Chat Anywhere. A remote user can cause the chat service to crash.

It is reported that the server does not properly manage fake user accounts. A remote user can connect to the service and supply a specially crafted username beginning with a '%' character and followed by a null character and arbitrary characters. This will cause the chat service to crash and cause the connected clients to consume CPU resources.

Some demonstration exploits are available at:[272a]

The vendor was originally notified on December 4, 2003 by Luigi Auriemma.

Impact:   A remote user can cause the target chat service to crash.
Solution:   No solution was available at the time of this entry. The vendor is reportedly planning to issue a fix in the next release. Until that time, the vendor recommends that you add password protection to protect the chat room.
Vendor URL: (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  DoS in Chat Anywhere 2.72a

                           Donato Ferrante

Application:  Chat Anywhere

Version:      2.72a

Bug:          Denial Of Service

Date:         27-Aug-2004

              Donato Ferrante

              Luigi Auriemma


1. Description
2. The bug
3. The code
4. The fix


1. Description:

Chat Anywhere is a Web-based chat server for real-time chatting.


2. The bug:

The chat server is unable to manage fake users.
So an attacker can crash the chat server and also consume a lot of CPU
resources to all the real clients connected, by using fake users.


3. The code:

To test the vulnerability:[272a]



4. The fix:

The bug was initially found on 4 Dec 2003 in the version 2.72,
and reported to the vendor by Luigi Auriemma, but the vendor probably
forgot to fix it.
So the vendor was contacted for the same bug in the next version 2.72a,
and now the vendor is planning to fix the bug in the next release.
In the meantime vendor recommends to add password protection to protect
the chat room.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC