lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: lazy at (
Subject: Re: Gadu-Gadu, another two bugs

On Fri, Dec 17, 2004 at 11:23:38AM +0100, Jaroslaw Sajko wrote:
> Product:	Gadu-Gadu, build 155 and older
> Vendor:		SMS-EXPRESS.COM (
> Impact:		Script execution in local zone,
> 		Remote DoS
> Severity:	High
> Authors: 	Blazej Miga <>,
> 		Jaroslaw Sajko <>
> Date:		17/12/04
> Bug 1.
> Parsing error. We can send a malicious string which has an url inside.
> This url can be a javascript code for example or reference to such a code.
> Code will execute when the window with message pops up. Code will execute
> in LOCAL ZONE! Works also with older versions.
> Example:
> Send such a string to any receipent:
> www.po"style=background-image:url(javascript:document.write('%3cscript%3ealert%28%22you%20are%20owned!%22%29%3c%2fscript%3e'));".pl
> - another polish IM was also vulunerable to Bug1
they fixed it in and (as I was told) they now block it on the servers, but you can check it
locally on your own client

Michal Grzedzicki

Powered by blists - more mailing lists