Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Gadu-Gadu, another two bugs
From: Jaroslaw Sajko <sloik () man poznan pl>
Date: Fri, 17 Dec 2004 11:23:38 +0100 (CET)

Product:        Gadu-Gadu, build 155 and older
Vendor:         SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact:         Script execution in local zone,
                Remote DoS
Severity:       High
Authors:        Blazej Miga <bla () man poznan pl>,
                Jaroslaw Sajko <sloik () man poznan pl>
Date:           17/12/04


Gadu-Gadu is the first Polish instant messenger used by ca. 3 millions of
people per month.

In addition to the last vulnerabilities there are two another
vulnerabilities in the build which have been released after our last


Bug 1.
Parsing error. We can send a malicious string which has an url inside.
This url can be a javascript code for example or reference to such a code.
Code will execute when the window with message pops up. Code will execute
in LOCAL ZONE! Works also with older versions.


Send such a string to any receipent:

Bug 2.
Beacause in this build default configuration allows sending of the images
we can send an image. There is some new feature, a loop checking filename
for disallowed characters, but the loop under some circumstances is an
infinite loop. So, if an image name isn't starting with the '..', '/', '\'
or '&#' then Gadu-Gadu applications falls into infinite loop, consumes
resources, and will not receive or send any message anymore. So we have a
simple DoS (livelock).


Send any image (filename must be a 'normal' filename) to your friend.


Please upgrade to the newest build (build 156).

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]