SYSTEM&WEB HACKING: Persistent XSS vulnerability in eBuddy Web Messenger

Friday, September 2, 2011

Persistent XSS vulnerability in eBuddy Web Messenger

A team member from Virtual Luminous Security, Russian Federation, has discovered a persistent XSS vulnerability in eBuddy (the biggest web IM solution in the world) by transmitting messages with embedded encoded javascript code.
In-depth detail
eBuddy Web Messenger suffers from an encoded-Persistent XSS vulnerability in the messaging function. (while sendingA message with embedded code to another authorized user in eBuddy WebMessenger).
Exploit example
Plain XSS (Not going to store, nor execute)
<script>alert('eBuddy Persistent XSS');</script>
Encoded
text=%3Cscript%3Ealert%28'eBuddy%20Persistent%20XSS'%29%3C/script%3E
[*] The attacker sends the encoded embedded code in an IM message.
[*] The victim receives the message with the encoded embedded code and it executes on the victims browser.

No comments: