Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26994
HistorySep 09, 2011 - 12:00 a.m.

XSS Ebuddy (responsible disclosure)

2011-09-0900:00:00
vulners.com
31
JSON

Early this morning, the security group Virtual Luminous published a
vulnerability in 'Ebuddy Web Messenger' and we would like to inform
you that this vulnerability had been discovered and reported to the
vendor on June 5th, 2011 by DcLabs Security Research Group.

In the report below you are going to find videos and references to the
date when the POC was sent to the vendor and the follow up regarding
the timeline for the release.

  • Ocultar texto das mensagens anteriores -

[Discussion]

  • DcLabs Security Research Group advises about the following vulnerability(ies):

[Software]

  • eBuddy Windows Live Messenger (web)

[Vendor Product Description]

  • eBuddy is a privately-held company which owns a browser-based web
    and mobile messenger service supporting various instant messaging
    services. eBuddy was launched in 2003 under the name e-Messenger,
    located at www.e-messenger.net, before re-branding itself in 2006 to
    eBuddy.

  • eBuddy supports Windows Live Messenger, Yahoo! Messenger, AIM, ICQ,
    Google Talk, MySpace Instant Messenger and Facebook Chat using one
    interface. eBuddy can also be accessed from mobile platforms such as
    iOS, Nokia Symbian and Android.

  • Site: http://www.ebuddy.com

[Advisory Timeline]

  • 05/06/2011 -> The bug was found;
  • 06/06/2011 -> First Contact requesting security department contact;
  • 06/06/2011 -> Vendor responded;
  • 09/06/2011 -> Advisory sent to vendor;
  • 15/06/2011 -> A demo movie sent to vendor showing how to exploit the
    flaw;
  • 17/06/2011 -> Vendor developing a new version;
  • 27/06/2011 -> Vendor fix the initial bug;
  • 28/06/2011 -> The application remains vulnerable and a new alert is
    sent to the vendor;
  • 30/06/2011 -> The vendor requested a new demo movie;
  • 05/07/2011 -> A new demo movie sent to vendor showing how to exploit
    the flaw; (http://www.youtube.com/watch?v=Kl-ahz4Kasg)
  • No vendor reply
  • 15/07/2011 -> Notification send to vendor requesting a status about
    progress of fix;
  • No vendor reply
  • 01/08/2011 -> Other notification sent to vendor;
  • 02/08/2011 -> Vendor responded (bug not patched);
  • 31/08/2011 -> Vendor was advised of the publication release;
  • 02/09/2011 -> Advisory Published.

[Bug Summary]

  • The lack of input validation on the sub-nick and textarea field for
  • Ocultar texto das mensagens anteriores -
    Windows Live Messenger allows attackers to bypass client-side security
    mechanisms normally imposed on web content by modern browsers. An
    attacker can gain elevated access privileges to sensitive
    page-content, session cookies, and a variety of other information
    maintained by the browser on behalf of the user.

[Impact]

  • High

[Affected Version]

  • Ebuddy Windows Live Messenger;
  • Other products may also be vulnerable;

[Bug Description and Proof of Concept]

  • Exploiting the HTML-injection issue allows an attacker to execute
    HTML and Java Script code in the remote user context to steal
    cookie-based authentication credentials or to control how the site is
    rendered to the user; other attacks may also be possible.

  • Moreover, Cross Site Scripting (XSS) vulnerabilities are caused due
    to lack of input validation. This allows malicious people to inject
    arbitrary HTML and script code. More info at:
    http://en.wikipedia.org/wiki/Cross-site_scripting

All flaws described here were discovered and researched by:

Rener Alberto aka Gr1nch.
DcLabs Security Research Group
gr1nch (at) dclabs <dot> com <dot> br

[Patch(s) / Workaround]

N/A

[Greetz]
DcLabs Security Research Group.

JSON