lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: sloik at (Jaroslaw Sajko)
Subject: Gadu-Gadu, another two bugs

Product:	Gadu-Gadu, build 155 and older
Impact:		Script execution in local zone,
		Remote DoS
Severity:	High
Authors: 	Blazej Miga <>,
		Jaroslaw Sajko <>
Date:		17/12/04


Gadu-Gadu is the first Polish instant messenger used by ca. 3 millions of
people per month.

In addition to the last vulnerabilities there are two another
vulnerabilities in the build which have been released after our last


Bug 1.
Parsing error. We can send a malicious string which has an url inside.
This url can be a javascript code for example or reference to such a code.
Code will execute when the window with message pops up. Code will execute
in LOCAL ZONE! Works also with older versions.


Send such a string to any receipent:

Bug 2.
Beacause in this build default configuration allows sending of the images
we can send an image. There is some new feature, a loop checking filename
for disallowed characters, but the loop under some circumstances is an
infinite loop. So, if an image name isn't starting with the '..', '/', '\'
or '&#' then Gadu-Gadu applications falls into infinite loop, consumes
resources, and will not receive or send any message anymore. So we have a
simple DoS (livelock).


Send any image (filename must be a 'normal' filename) to your friend.


Please upgrade to the newest build (build 156).

Powered by blists - more mailing lists