SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   vCard4J Vendors:   vcard4j.sourceforge.net
vCard4J Toolkit Input Validation Flaw May Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1008582
SecurityTracker URL:  http://securitytracker.com/id/1008582
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 2 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   An input validation vulnerability was reported in the vCard4J Java-based vCard toolkit. A remote user may be able to conduct cross-site scripting attacks.

It is reported that in the default configuration, the software does not filter HTML scripting code from user-supplied input when creating card files.

A remote user can create a specially crafted vCard that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. Depending on how the toolkit components are implemented, the scripting code may be able to access the target user's cookies (including authentication cookies), if any, associated with the implementation site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor was reportedly notified on December 25, 2003.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running an affected application based on the toolkit, access data recently submitted by the target user via web form to the application site, or take actions on the site acting as the target user.
Solution:   The vendor has reportedly released a fixed version (4.1J). Downloads are available at:

http://sourceforge.net/project/showfiles.php?group_id=60315

[Editor's note: At the time of this entry, it appears that the fixed version was not yet available at the download location.]

Vendor URL:  vcard4j.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Possible XSS vuln in VCard4J


Timberlake Advisory 2004010109h.

Program:

http://sourceforge.net/projects/vcard4j/

vCard4J is a complete toolkit to manipulate vCards (RFC 2426) in Java. It contains a parser to read vCard files. It is strange and
 fearsome to touch. It also includes a compiler to extend the library. And it contains XSLTs to produce vCards 3.0, xHTML, ..., from
 the internal DOM structure. 

Advisory:

Possible XSS vulnerability found in the following card files. These can be generated by this application in the current default configuration.

   <vCard:GROUP>
     <rdf:bag>
       <rdf:li rdf:parseType="Resource">
         <vCard:NICKNAME> Corky Porky </vCard:NICKNAME>
         <vCard:NOTE> Only used by close friends porky pork pork </vCard:NOTE>
       </rdf:li>        <rdf:li rdf:parseType="Resource">
         <vCard:NICKNAME> Princess Corky the pork snorter <script>alert('cork+kork+your+sniffy+sniff+')</script></vCard:NICKNAME>
         <vCard:NOTE> Only used by my egg pups in the loungeroom and also justin winamp goblin</vCard:NOTE>
       </rdf:li>
     </rdf:bag>
   </vCard:GROUP>

Vendor Notification:

Vendor notified on 20031225: <jared@fatpumpkins.org>: This is fixed in the next revision VCard4.1J

Credits:

doe <doe@sansteachyourself.org> for the initial idea.
Lance Spitzner lance@honeynet.org. Lance Spitzner is a geek who constantly plays with computers, especially network security.
dme <dm@punkybrewster.com> for the phone call to discuss.

-- 
____________________________________________________
Get your own Hello Kitty email @ www.sanriotown.com

Powered by Outblaze

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC