LAN Messenger v1.2.28 - Persistent Software Vulnerability



EKU-ID: 2146 CVE: OSVDB-ID:
Author: expku Published: 2012-05-17 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Title:
======
LAN Messenger v1.2.28 - Persistent Software Vulnerability

Common Vulnerability Scoring System:
====================================
7.5


Introduction:
=============
LAN Messenger is a free and open source cross-platform instant messaging application for communication over a
local network. It does not require a server. A number of useful features including event notifications, file transfer
and message logging are provided.

(Copy of the Website: http://lanmsngr.sourceforge.net )

Details:
========
A persistent software vulnerability is detected in in LAN Messenger v1.2.28. The bug is located in the profile display
& nickname validation of the software. The vulnerability allows an attacker (remote) to implement own malicious script codes as
profile. The code is getting executed when the attacker writes the victim a message. The vulnerable nickname input is getting
executed as output of the messagebox when processing to write a message. Successful exploitation can lead in persistent hijacking,
external malicious redirects, persistent script code execution to compromise the connected network client system.

Vulnerable Module(s):
[+] Username as seen by Contacts - Messagebox Display & Input

Risk:
=====
The security risk of the persistent remote web vulnerability is estimated as high.