Tuesday, 14 February 2012

Gwibber (Ubuntu 11.04) XSS/DoS

I was wondering if there is something similar to one Skype XSS attack in new Ubuntu Linux.
Tested program is called Gwibber and it is installed default for Ubuntu 11.04.

Vulnerable seems to be "Search" engine:
to verify persistent XSS put in "search" this example code:
<script>alert('XSS'); </script>

Lookout, this code will be stored in Gwibber permanently.
If You add this to Your Gwibber, and re-run it, apps will show XSS, and crash because of DoS.

Found: 11.01.2012.
Vendor was informed: 19.01.2012.

Enjoy! ;)

(Thanks, if You would confirm it with Your versions.)


No comments:

Post a Comment

What do You think...?