Summary

Source: ​http://packetstormsecurity.org/files/view/103645/adium-xss.txt

Adium suffers from a persistent HTML/Javascript injection / Cross-Site Scripting vulnerability due to a lack of input validation and output sanitization of filenames.

Steps to reproduce

The following HTML/Javascript payload can be used as a filename to trigger the described vulnerability:

--- SNIP ---

sh3ll$ echo "123" > \"\>\<body\>\<h1\>0x90trix\ pwns\ -\ XSS\ POWER\ \<iframe\ \src\=\"www.google.com\"\ style\=\"background-color\:\ green\".gif

--- SNIP ---

For a PoC demonstration see:

Expected results

HTML should not be parsed.

Actual results

HTML was parsed.

Regression

Affected Software:

Software: Adium Version: <= 1.4.2

Affected Platforms:

Mac OS X (10.6.8, 10.6.7, maybe also other...)

Notes

Any additional information, such as debug logs or crash logs should be attached. Here, put any information that didn't fit in the above categories.

If you're pasting any kind of plain text, wrap it in "code blocks" like so:

Lots of text line 1 Even more text on line 2 More and more and more text on line 3