Well, a few weeks back I posted about some potential security issues with Campfire.

As it turns out there are a few more interesting issues that we hadn’t yet found at that time. While we were messing around to see if you could put avatars in names via image tags, we discovered that certain places in Campfire were not replacing entities on the html, and were therefore running it. To some this issue may seem trivial, but I suggest that it’s actually potentially more dangerous than the issues discussed in my previous post....

So recently I’ve been using Campfire quite a bit, and I couldn’t help but notice some really obvious exploits that just shouldn’t be there.

Like what, you ask? Well how about the cool feature that takes any submitted image url (actually any url ending with a specific extention) and putting it in image tags in chat. Things like this can be used to execute scripts locally in the browser of anybody viewing chat by simply changing the extension (and at a push the mime type if extension alone doesn’t work) of a script and pasting it into campfire. If your script is malicious it can do such nice things as steal cookies from viewers, force them to see infinite loops, etc....