Gwibber v2.29.1 & v3.x - Persistent Software Vulnerability

Title:
======
Gwibber v2.29.1 & v3.x - Persistent Software Vulnerability


Date:
=====
2011-12-22

Introduction:
=============
Gwibber  is a microblogging client for the GNOME desktop environment. It was created by Ryan Paul, a writer for Ars Technica. 
Gwibber is distributed under the GNU GPL license.It supports Linux and is written in Python using the PyGTK library. 
It is included by default in Ubuntu 10.04 and above.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Gwibber )

Abstract:
=========
A Vulnerability Laboratory researcher discovered a persistent software vulnerability on the Gwibber social client software.


Exploitation-Technique:
=======================
Remote

Severity:
=========
Medium


Details:
========
A persistent input validation vulnerability is detected on the linux  version of Gwibber. The bug is located in the search bar 
module of the index. The vulnerability allows an local attacker to implement persistent malicious script codes on a Gwibber 
software main module. The successfully exploitation can lead to redirects, client side exploitation, session hijacking, 
malicious downloads & request manipulation over the vulnerable software main module.

Credits:
========
Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x) 

Proof: 
Picture: 1 http://s46.radikal.ru/i114/1112/bc/05b6804dfbaf.jpg


Picture: 2 http://i077.radikal.ru/1112/15/c2bdf6686ec5.jpg



#  0day.today [2018-01-09]  #