mailing list archives
Re: Gadu-Gadu, another two bugs
From: lazy () server gwsh gda pl
Date: Mon, 20 Dec 2004 14:09:45 +0100
On Fri, Dec 17, 2004 at 11:23:38AM +0100, Jaroslaw Sajko wrote:
Product: Gadu-Gadu, build 155 and older
Vendor: SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact: Script execution in local zone,
Authors: Blazej Miga <bla () man poznan pl>,
Jaroslaw Sajko <sloik () man poznan pl>
Parsing error. We can send a malicious string which has an url inside.
Code will execute when the window with message pops up. Code will execute
in LOCAL ZONE! Works also with older versions.
Send such a string to any receipent:
tlen.pl - another polish IM was also vulunerable to Bug1
they fixed it in 126.96.36.199 and (as I was told) they now block it on the servers, but you can check it
locally on your own client
Full-Disclosure - We believe in it.