Chat Anywhere 2.72 and earlier allows remote attackers to hide their IP address by using %00 before the nickname, which causes the IP address to be displayed as $IP$ on the administration web page.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Chat_anywhere | Lionmax_software | * | 2.72 (including) |
References
- http://aluigi.altervista.org/adv/chatany-ghost-adv.txt
- http://marc.info/?l=bugtraq\u0026m=107885946220895\u0026w=2
- http://www.lionmax.com/chatanywhere.htm
- http://www.securityfocus.com/bid/9823
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15416
- http://aluigi.altervista.org/adv/chatany-ghost-adv.txt
- http://marc.info/?l=bugtraq\u0026m=107885946220895\u0026w=2
- http://www.lionmax.com/chatanywhere.htm
- http://www.securityfocus.com/bid/9823
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15416