Title:
======
LAN Messenger v1.2.28 - Persistent Software Vulnerability
Common Vulnerability Scoring System:
====================================
7.5
Introduction:
=============
LAN Messenger is a free and open source cross-platform instant messaging application for communication over a
local network. It does not require a server. A number of useful features including event notifications, file transfer
and message logging are provided.
(Copy of the Website: http://lanmsngr.sourceforge.net )
Details:
========
A persistent software vulnerability is detected in in LAN Messenger v1.2.28. The bug is located in the profile display
& nickname validation of the software. The vulnerability allows an attacker (remote) to implement own malicious script codes as
profile. The code is getting executed when the attacker writes the victim a message. The vulnerable nickname input is getting
executed as output of the messagebox when processing to write a message. Successful exploitation can lead in persistent hijacking,
external malicious redirects, persistent script code execution to compromise the connected network client system.
Vulnerable Module(s):
[+] Username as seen by Contacts - Messagebox Display & Input
Risk:
=====
The security risk of the persistent remote web vulnerability is estimated as high.