Gadu-Gadu 6.0 - URL Parser JavaScript Cross-Site Scripting

EDB-ID:

25009


Platform:

Windows

Published:

2004-12-17

source: http://www.securityfocus.com/bid/11998/info

Multiple remote vulnerabilities reportedly affect Gadu-Gadu instant messenger. It supports the DCC (Direct Client Connection) protocol, facilitating the transfer of files and messages between users.

The input validation issue is an HTML injection vulnerability in the instant messaging system. It is worth noting that this issue, although not exactly the same, resembles closely the HTML injection issue outlined in BID 11899 (Gadu-Gadu Multiple Remote Vulnerabilities). The denial of service vulnerability is due to a bug in the image handling code of the affected application.

An attacker may leverage these issues to carry out HTML injection attacks, potentially stealing sensitive information, and to carry out denial of service attacks, denying legitimate users of access to the affected software. 

www.po"style=background-image:url(javascript:document.write('%3cscript%3ealert%28%22you%20are%20owned!%22%29%3c%2fscript%3e'));".pl