Timberlake Advisory 2004010109h. Program: http://sourceforge.net/projects/vcard4j/ vCard4J is a complete toolkit to manipulate vCards (RFC 2426) in Java. It contains a parser to read vCard files. It is strange and fearsome to touch. It also includes a compiler to extend the library. And it contains XSLTs to produce vCards 3.0, xHTML, ..., from the internal DOM structure. Advisory: Possible XSS vulnerability found in the following card files. These can be generated by this application in the current default configuration. <vCard:GROUP> <rdf:bag> <rdf:li rdf:parseType="Resource"> <vCard:NICKNAME> Corky Porky </vCard:NICKNAME> <vCard:NOTE> Only used by close friends porky pork pork </vCard:NOTE> </rdf:li> <rdf:li rdf:parseType="Resource"> <vCard:NICKNAME> Princess Corky the pork snorter <script>alert('cork+kork+your+sniffy+sniff+')</script></vCard:NICKNAME> <vCard:NOTE> Only used by my egg pups in the loungeroom and also justin winamp goblin</vCard:NOTE> </rdf:li> </rdf:bag> </vCard:GROUP> Vendor Notification: Vendor notified on 20031225: <jared@fatpumpkins.org>: This is fixed in the next revision VCard4.1J Credits: doe <doe@sansteachyourself.org> for the initial idea. Lance Spitzner lance@honeynet.org. Lance Spitzner is a geek who constantly plays with computers, especially network security. dme <dm@punkybrewster.com> for the phone call to discuss. -- ____________________________________________________ Get your own Hello Kitty email @ www.sanriotown.com Powered by Outblaze
