CVE-2004-1802

Vulnerability

Chat Anywhere versions 2.72 and earlier contain a vulnerability in the nickname handling logic. When a user prepends a null byte (%00) to their nickname, the administration web page displays the IP address as $IP$ instead of the actual IP address [1][2]. This occurs because the server fails to properly sanitize the nickname input before processing it for the admin interface.

Exploitation

An attacker can exploit this vulnerability remotely via a browser by sending a nickname that starts with %00. Since most browsers encode %00 as %2500, the attacker must use a crafted HTML page or direct HTTP request to send the raw null byte [1][2]. No authentication or special privileges are required; the attacker simply joins a chat room with the malicious nickname.

Impact

Successful exploitation allows the attacker to hide their IP address from the administrator. As a result, the administrator cannot identify, ban, or kick the user, effectively granting the attacker immunity from administrative actions [1][2]. The vulnerability does not lead to data disclosure or code execution, but it undermines the administrator's ability to manage the chat server.

Mitigation

The vendor released version 2.72a to address this vulnerability [1][2]. Users should upgrade to Chat Anywhere 2.72a or later. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.