Early this morning, the security group Virtual Luminous published a vulnerability in 'Ebuddy Web Messenger' and we would like to inform you that this vulnerability had been discovered and reported to the vendor on June 5th, 2011 by DcLabs Security Research Group.
In the report below you are going to find videos and references to the date when the POC was sent to the vendor and the follow up regarding the timeline for the release. - Ocultar texto das mensagens anteriores -
[Vendor Product Description]
eBuddy is a privately-held company which owns a browser-based web and mobile messenger service supporting various instant messaging services. eBuddy was launched in 2003 under the name e-Messenger, located at www.e-messenger.net, before re-branding itself in 2006 to eBuddy.
eBuddy supports Windows Live Messenger, Yahoo! Messenger, AIM, ICQ, Google Talk, MySpace Instant Messenger and Facebook Chat using one interface. eBuddy can also be accessed from mobile platforms such as iOS, Nokia Symbian and Android.
[Bug Description and Proof of Concept]
Exploiting the HTML-injection issue allows an attacker to execute HTML and Java Script code in the remote user context to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks may also be possible.
Moreover, Cross Site Scripting (XSS) vulnerabilities are caused due to lack of input validation. This allows malicious people to inject arbitrary HTML and script code. More info at: http://en.wikipedia.org/wiki/Cross-site_scripting
All flaws described here were discovered and researched by:
Rener Alberto aka Gr1nch. DcLabs Security Research Group gr1nch (at) dclabs <dot> com <dot> br
[Patch(s) / Workaround]
[Greetz] DcLabs Security Research Group.