Possible XSS vuln in VCard4J

["Just1n T1mberlake" <hotpackets () hellokitty com>]

Timberlake Advisory 2004010109h.

Program:

http://sourceforge.net/projects/vcard4j/

vCard4J is a complete toolkit to manipulate vCards (RFC 2426) in Java. It contains a parser to read vCard files. It is 
strange and fearsome to touch. It also includes a compiler to extend the library. And it contains XSLTs to produce 
vCards 3.0, xHTML, ..., from the internal DOM structure. 

Advisory:

Possible XSS vulnerability found in the following card files. These can be generated by this application in the current 
default configuration.

   <vCard:GROUP>
     <rdf:bag>
       <rdf:li rdf:parseType="Resource">
         <vCard:NICKNAME> Corky Porky </vCard:NICKNAME>
         <vCard:NOTE> Only used by close friends porky pork pork </vCard:NOTE>
       </rdf:li>        <rdf:li rdf:parseType="Resource">
         <vCard:NICKNAME> Princess Corky the pork snorter 
<script>alert('cork+kork+your+sniffy+sniff+')</script></vCard:NICKNAME>
         <vCard:NOTE> Only used by my egg pups in the loungeroom and also justin winamp goblin</vCard:NOTE>
       </rdf:li>
     </rdf:bag>
   </vCard:GROUP>

Vendor Notification:

Vendor notified on 20031225: <jared () fatpumpkins org>: This is fixed in the next revision VCard4.1J

Credits:

doe <doe () sansteachyourself org> for the initial idea.
Lance Spitzner lance () honeynet org. Lance Spitzner is a geek who constantly plays with computers, especially network 
security.
dme <dm () punkybrewster com> for the phone call to discuss.

-- 
____________________________________________________
Get your own Hello Kitty email @ www.sanriotown.com

Powered by Outblaze