eBuddy Web Messenger suffers from an encoded-Persistent XSS vulnerability in the messaging function. (while sending a message with embedded code to another authorized user in eBuddy Web Messenger)
Vulnerability Info:
- Author: Russian Fedration
- Date: 31.08.2011
- Version: Works with latest eBuddy Web Messenger. (as of September 2011)
- Vulnerability: Persistent XSS
Plain XSS (Not going to store, nor execute)
<script>alert('eBuddy Persistent XSS');</script>
Encoded
Replaced '<' with %3c ,'>' with %3E ...
text=%3Cscript%3Ealert%28'eBuddy%20Persistent%20XSS'%29%3C/script%3E
The attacker sends the encoded embedded code in an IM message:
The victim receives the message with the encoded embedded code and it executes on the victims browser:
Message from them:
We're not going to show examples of malicious use to avoid the usage of
fame hungry kidiots. If you're creative, the universe is the limit. :)
