Gadu-Gadu 6.0 URL Parser Javascript XSS

2004-12-17T00:00:00
ID EDB-ID:25009
Type exploitdb
Reporter Jaroslaw Sajko
Modified 2004-12-17T00:00:00

Description

Gadu-Gadu 6.0 URL Parser Javascript XSS. CVE-2004-1410 . Remote exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/11998/info

Multiple remote vulnerabilities reportedly affect Gadu-Gadu instant messenger. It supports the DCC (Direct Client Connection) protocol, facilitating the transfer of files and messages between users.

The input validation issue is an HTML injection vulnerability in the instant messaging system. It is worth noting that this issue, although not exactly the same, resembles closely the HTML injection issue outlined in BID 11899 (Gadu-Gadu Multiple Remote Vulnerabilities). The denial of service vulnerability is due to a bug in the image handling code of the affected application.

An attacker may leverage these issues to carry out HTML injection attacks, potentially stealing sensitive information, and to carry out denial of service attacks, denying legitimate users of access to the affected software. 

www.po"style=background-image:url(javascript:document.write('%3cscript%3ealert%28%22you%20are%20owned!%22%29%3c%2fscript%3e'));".pl