vCard4J Toolkit Input Validation Flaw May Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1008582|
SecurityTracker URL: http://securitytracker.com/id/1008582
(Links to External Site)
Date: Jan 2 2004
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
An input validation vulnerability was reported in the vCard4J Java-based vCard toolkit. A remote user may be able to conduct cross-site scripting attacks.|
It is reported that in the default configuration, the software does not filter HTML scripting code from user-supplied input when creating card files.
A remote user can create a specially crafted vCard that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. Depending on how the toolkit components are implemented, the scripting code may be able to access the target user's cookies (including authentication cookies), if any, associated with the implementation site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor was reportedly notified on December 25, 2003.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running an affected application based on the toolkit, access data recently submitted by the target user via web form to the application site, or take actions on the site acting as the target user.|
The vendor has reportedly released a fixed version (4.1J). Downloads are available at:|
[Editor's note: At the time of this entry, it appears that the fixed version was not yet available at the download location.]
Vendor URL: vcard4j.sourceforge.net/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: Possible XSS vuln in VCard4J|
Timberlake Advisory 2004010109h.
vCard4J is a complete toolkit to manipulate vCards (RFC 2426) in Java. It contains a parser to read vCard files. It is strange and
fearsome to touch. It also includes a compiler to extend the library. And it contains XSLTs to produce vCards 3.0, xHTML, ..., from
the internal DOM structure.
Possible XSS vulnerability found in the following card files. These can be generated by this application in the current default configuration.
<vCard:NICKNAME> Corky Porky </vCard:NICKNAME>
<vCard:NOTE> Only used by close friends porky pork pork </vCard:NOTE>
</rdf:li> <rdf:li rdf:parseType="Resource">
<vCard:NICKNAME> Princess Corky the pork snorter <script>alert('cork+kork+your+sniffy+sniff+')</script></vCard:NICKNAME>
<vCard:NOTE> Only used by my egg pups in the loungeroom and also justin winamp goblin</vCard:NOTE>
Vendor notified on 20031225: <email@example.com>: This is fixed in the next revision VCard4.1J
doe <firstname.lastname@example.org> for the initial idea.
Lance Spitzner email@example.com. Lance Spitzner is a geek who constantly plays with computers, especially network security.
dme <firstname.lastname@example.org> for the phone call to discuss.
Get your own Hello Kitty email @ www.sanriotown.com
Powered by Outblaze