Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Gadu-Gadu, another two bugs
From: lazy () server gwsh gda pl
Date: Mon, 20 Dec 2004 14:09:45 +0100

On Fri, Dec 17, 2004 at 11:23:38AM +0100, Jaroslaw Sajko wrote:
Product:      Gadu-Gadu, build 155 and older
Vendor:               SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact:               Script execution in local zone,
              Remote DoS
Severity:     High
Authors:      Blazej Miga <bla () man poznan pl>,
              Jaroslaw Sajko <sloik () man poznan pl>
Date:         17/12/04

Bug 1.
Parsing error. We can send a malicious string which has an url inside.
This url can be a javascript code for example or reference to such a code.
Code will execute when the window with message pops up. Code will execute
in LOCAL ZONE! Works also with older versions.


Send such a string to any receipent:

tlen.pl - another polish IM was also vulunerable to Bug1
they fixed it in and (as I was told) they now block it on the servers, but you can check it
locally on your own client

Michal Grzedzicki

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]