A filter bypass software vulnerability is the detected in the official Akeni LAN (LE) Messenger v1.2.118.The bug allows local attackers to inject own malicious persistent script codes on application-side.The vulnerability is located in the Akeni `incorrect length` exception-handling module with the bound vulnerable groupname (Gruppenname) parameter. The filter of the Akeni LAN Messenger santizes malicious tags and evil frame context but does not recognize a secound splitted (%20) request after the first. The attacker can provoke a first parse by injecting for example a >`` to match the invalid exception criterias. After the provoke he splits the request with %20 and inject his own tags directly after it. The result is a persistent script code execution out of the invalid length & invalid parameter software exception-handling.
[+] Menu > Action > Contact List > Add Group
Proof of Concept:
The vulnerability can be exploited by local attackers without required user inter action. For demonstration or reproduce ...
1.Let us watch the exception-handling of the invalid length. First we inject a standard iframe like >"<iframe src=a>
[>"'>] has incorrect length.
Groups name must have between %2 and %3 characters.
... the validation of the incorrect length or invalid parameter redisplays the message but parse the iframe tag.We can see in the parse the >" which is splitted from the parse itself and shows is there could be an injection possibility.
1.2The next step will be to split the request. HOW?! We inject a standard iframe (<iframe src=a>) split the request with %20 (Space) and inject the secound script code after the split.