Skip to content

Kévin Dunglas

Founder of Les-Tilleuls.coop (worker-owned cooperative). Creator of API Platform, Mercure.rocks, Vulcain.rocks and of some Symfony components.

Menu
  • Talks
  • Resume
  • Sponsor me
  • Contact
Menu

MessengerFX allows your contacts to take control over your WLM

Posted on May 16, 2008October 6, 2008 by Kévin Dunglas

I have paste some HTML code to a Edouard using MessengerFX, a popular web Windows Live Messenger client based on AJAX, and – surprise, the code has been interpreted. Oh?! A XSS vulnerability ? Yes, and such a big one!

Every software’s feature is available through Javascript. Any contact of a MessengerFX user can crash his browser, and furthermore get its contact list, add, remove, ban and unban contacts, read and send messages to any other contact of the victim ! Basically, an attacker just need to be listed in the contacts list of an MessengerFX user and this attacker can take control over the account.

And the worst is coming… Using Javascript, it seems easy to write a worm that will, i.e. recursively delete every contacts of the MessengerFX users – say using the vulnerability to get the contact list and delete them one by one. The worm can also try to shutdown the WLM network with a DDOS attack by a heavy load of messages at the same timeusing infected MessengerFX users WLM accounts.

MessengerFX is popular and growing, such a flaw can be very dangerous for a lot of people. I have send a mail to the development team and I hope they will correct their application soon… Because the fix is as simple as a htmlspecialchars() call. MessengerFX users, don’t use it anymore and try Meebo or the official Microsoft WLM web based client. Web developers, never trust the user-submitted data and always escape thos inputs!!

Edit october 6 2008 : the problem is now corrected.

Related posts:

  1. MessengerFX’s security problem corrected
  2. Vulnérabilité critique dans MessengerFX
  3. La faille de sécurité touchant MessengerFX semble corrigée
  4. PHP TorControl, a library to control TOR

2 thoughts on “MessengerFX allows your contacts to take control over your WLM”

  1. Pingback: MessengerFX’s security problem corrected - Un développeur freelance à Lille
  2. iris says:
    August 3, 2009 at 6:25 pm

    ola

    Reply

Leave a Reply Cancel reply

Follow me on Twitter

My Tweets

Subscribe to this blog

Recent Posts

  • New in Caddy 2.5: Redact Sensitive Data from Your Logs
  • Building Decentralized Web Apps with Solid and PHP
  • JSON Columns and Doctrine DBAL 3 Upgrade
  • Preventing CORS Preflight Requests Using Content Negotiation
  • Symfony’s New Native Docker Support (Symfony World)

Top Posts & Pages

  • Using the "103 Early Hints" Status Code in Go Applications
  • JSON Columns and Doctrine DBAL 3 Upgrade
  • Generate a Symfony password hash from the command line
  • Building Decentralized Web Apps with Solid and PHP
  • Faire fonctionner PHP mail() sous Debian et dérivés
  • API Platform 2.6: PHP 8 support, Next.js and Nuxt.js app generator, Caddy server, ActivityPub and much more!
  • Symfony's New Native Docker Support (Symfony World)
  • Symfony 4: HTTP/2 Push and Preloading
  • React ESI: Blazing Fast SSR
  • DunglasActionBundle: Symfony controllers, redesigned

Persistence in PHP with the Doctrine ORM

Persistence in PHP with the Doctrine ORM

Tags

Android Apache API API Platform Buzz Caddy Docker Doctrine Go Google HTTP/2 Hydra hypermedia Hébergement Javascript JSON-LD Kubernetes La Coopérative des Tilleuls Les-Tilleuls.coop Lille Linux Mac Mercure Messagerie Instantanée MySQL Open Source PHP Punk Rock Python React REST Rock'n'Roll RSS Schema.org Security SEO SEO Symfony Symfony Live Sécurité Ubuntu Web 2.0 Wordpress XHTML XML

Archives

Categories

  • DevOps (24)
  • Mercure (3)
  • Opinions (91)
  • Programming (178)
    • Android (5)
    • Go (11)
    • JavaScript (43)
    • PHP (136)
      • API Platform (60)
      • Symfony (89)
    • Python (14)
      • Django (5)
  • Security (15)
  • SEO (24)
  • Talks (37)
  • Ubuntu (68)
  • Wordpress (6)

Blogoliste

  • API Platform
  • Les-Tilleuls.coop
  • Mercure.rocks
  • Vulcain.rocks
© 2022 Kévin Dunglas | Powered by Minimalist Blog WordPress Theme