Home / exploits Adium 1.4.2 Cross Site Scripting
Posted on 02 August 2011
+-----------------------------------------------------------------------------+ | noptrix.net - Public Security Advisory | +-----------------------------------------------------------------------------+ Date: ----- 08/02/2011 Vendor: ------- Adium - http://www.adium.im/ Affected Software: ------------------ Software: Adium Version: <= 1.4.2 Affected Platforms: ------------------- Mac OS X (10.6.8, 10.6.7, maybe also other...) Vulnerability Class: -------------------- HTML/Javascript-Injection / Cross-Site Scripting Description: ------------ Adium suffers from a persistent HTML/Javascript injection / Cross-Site Scripting vulnerability due to a lack of input validation and output sanitization of filenames. Proof of Concept: ----------------- The following HTML/Javascript payload can be used as a filename to trigger the described vulnerability: --- SNIP --- sh3ll$ echo "123" > "><body><h1>0x90trix pwns - XSS POWER <iframe src="www.google.com" style="background-color: green".gif --- SNIP --- For a PoC demonstration see: - http://www.noptrix.net/tmp/adium_inject.png - http://www.noptrix.net/tmp/adium_inject2.png - http://www.noptrix.net/tmp/adium_inject3.png Impact: ------- An attacker could for example inject HTML/Javascript code and redirect/phish any users of Adium. With some time, creativity, fantasy and good music, an attacker could leverage the vulnerability to increase the attack vector to the underlying software and operating system of the victim. Threat Level: ------------- Medium - High Solution: --------- adium.im has to validate the input characters and sanitize the output. Status: ------- Adium hasn't fixed the issue yet. Notes: ------ To the whole world: Funny thing: Anglophone and German media refer me as Armenian in their Skype XSS articles, yet all the Turkish news sites insists that I am Turkish. For the record, I am Armenian and my people have been persecuted by Turkey for hundreds of years. Thanks.
