Wednesday, September 19, 2007 9:16 AM
cmosby
AOL Instant Messenger Notification Window Script Execution Vulnerability - Advisories - Secunia
AOL Instant Messenger Notification Window Script Execution Vulnerability
Secunia Advisory:
SA26786
Release Date:
2007-09-19
Critical:
Less critical
Impact:
Cross Site Scripting
Where:
From remote
Solution Status:
Unpatched
Software:
AOL Instant Messenger 6.x
CVE reference:
CVE-2007-4901 (Secunia mirror)
Description:
Shell has discovered a vulnerability in AOL Instant Messenger, which can be exploited by malicious people to execute arbitrary script code.
Input passed to the Notification window is not properly sanitised before being displayed to the user. This can be exploited to execute a limited amount of arbitrary script code in the Local Zone (My Computer) context by e.g. sending a specially crafted message to another user.
Successful exploitation requires that the target user is e.g. chatting with a different user so that the Notification window is shown and that the attacker is in the Buddy List of the target user or the target user accepts the IM message from the attacker.
The vulnerability is confirmed in version 6.1.41.2. Other versions may also be affected.
Solution:
Disable "New IMs arrive" option in the "Notifications" settings.
Add only trusted users to the Buddy List and only accept messages from trusted users.
Provided and/or discovered by:
Shell
Source: AOL Instant Messenger Notification Window Script Execution Vulnerability - Advisories - Secunia
Filed under: Patch Management, Internet Applications, Security