Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Feb 2012 09:24:29 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Rafał Malinowski
 <rafal.przemyslaw.malinowski@...il.com>,
        Mateusz Goik <mateusz.goik@...antsoft.pl>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Mariusz Fik <fisiu@...nsuse.org>,
        Radoslaw Lisowski <radoslaw.lisowski@...il.com>, kontakt@...antsoft.pl
Subject: Re: Re: CVE Status Clarification / Request -- kadu:
 Stored XSS by parsing contact's status and sms messages in history

On 02/27/2012 02:09 PM, Rafał Malinowski wrote:
> Affected versions: 0.9.0 - 0.11.0 (0.11.1 is not vulnerable)
> 
> Vulnerability:
> 
> Any javascript code could be executed from Kadu History Window in
> following conditions:
> * application owner send a prepared SMS and content of this SMS was
> stored in history file
> * owner of application has an attacker on his buddy list, attacker
> sets a prepared presence message/status description and this presence
> message/status description is stored in history file
> 
> and then:
> 
> * owner of application views given SMS or presence message/status
> description in history window
> 
> 
> Javascript code was allowed to:
> * load any file from WEB, by <img> or <script> tags, even <object>
> with flash files were possible
> * read files from local file system
> * (not confirmed by myself) write files to local file system
> * show javascript windows (like alert)

Please use CVE-2012-1091 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.