oss-sec mailing list archives

Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 28 Feb 2012 09:24:29 -0700

On 02/27/2012 02:09 PM, Rafał Malinowski wrote:

Affected versions: 0.9.0 - 0.11.0 (0.11.1 is not vulnerable)

Vulnerability:

Any javascript code could be executed from Kadu History Window in
following conditions:
* application owner send a prepared SMS and content of this SMS was
stored in history file
* owner of application has an attacker on his buddy list, attacker
sets a prepared presence message/status description and this presence
message/status description is stored in history file

and then:

* owner of application views given SMS or presence message/status
description in history window


Javascript code was allowed to:
* load any file from WEB, by <img> or <script> tags, even <object>
with flash files were possible
* read files from local file system
* (not confirmed by myself) write files to local file system
* show javascript windows (like alert)


Please use CVE-2012-1091 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Current thread:

Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history, (continued)
- - - Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Kurt Seifried (Feb 28)
    - Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Marcus Meissner (Feb 29)
    - Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history cve-assign (Feb 29)
    - Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Kurt Seifried (Feb 28)
    - Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Kurt Seifried (Feb 28)
- Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Rafał Malinowski (Feb 27)
  - Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Mateusz Goik (Feb 27)
    - Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Mateusz Goik (Feb 27)
    - Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Kurt Seifried (Feb 27)
    - Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Rafał Malinowski (Feb 27)
    - Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Kurt Seifried (Feb 28)
    - Re: Re: CVE Status Clarification / Request -- kadu: Stored XSS by parsing contact's status and sms messages in history Rafał Malinowski (Feb 29)