vCard4J is a complete toolkit to manipulate vCards (RFC 2426) in Java. It contains a parser to read vCard files. It is strange and fearsome to touch. It also includes a compiler to extend the library. And it contains XSLTs to produce vCards 3.0, xHTML, ..., from the internal DOM structure.
Advisory:
Possible XSS vulnerability found in the following card files. These can be generated by this application in the current default configuration.
<vCard:GROUP>
<rdf:bag>
<rdf:li rdf:parseType="Resource">
<vCard:NICKNAME> Corky Porky </vCard:NICKNAME>
<vCard:NOTE> Only used by close friends porky pork pork </vCard:NOTE>
</rdf:li> <rdf:li rdf:parseType="Resource">
<vCard:NICKNAME> Princess Corky the pork snorter <script>alert('cork+kork+your+sniffy+sniff+')</script></vCard:NICKNAME>
<vCard:NOTE> Only used by my egg pups in the loungeroom and also justin winamp goblin</vCard:NOTE>
</rdf:li>
</rdf:bag>
</vCard:GROUP>
Vendor Notification:
Vendor notified on 20031225: <jared (at) fatpumpkins (dot) org [email concealed]>: This is fixed in the next revision VCard4.1J
Credits:
doe <doe (at) sansteachyourself (dot) org [email concealed]> for the initial idea.
Lance Spitzner lance (at) honeynet (dot) org. [email concealed] Lance Spitzner is a geek who constantly plays with computers, especially network security.
dme <dm (at) punkybrewster (dot) com [email concealed]> for the phone call to discuss.
--
____________________________________________________
Get your own Hello Kitty email @ www.sanriotown.com
Program:
http://sourceforge.net/projects/vcard4j/
vCard4J is a complete toolkit to manipulate vCards (RFC 2426) in Java. It contains a parser to read vCard files. It is strange and fearsome to touch. It also includes a compiler to extend the library. And it contains XSLTs to produce vCards 3.0, xHTML, ..., from the internal DOM structure.
Advisory:
Possible XSS vulnerability found in the following card files. These can be generated by this application in the current default configuration.
<vCard:GROUP>
<rdf:bag>
<rdf:li rdf:parseType="Resource">
<vCard:NICKNAME> Corky Porky </vCard:NICKNAME>
<vCard:NOTE> Only used by close friends porky pork pork </vCard:NOTE>
</rdf:li> <rdf:li rdf:parseType="Resource">
<vCard:NICKNAME> Princess Corky the pork snorter <script>alert('cork+kork+your+sniffy+sniff+')</script></vCard:NICKNAME>
<vCard:NOTE> Only used by my egg pups in the loungeroom and also justin winamp goblin</vCard:NOTE>
</rdf:li>
</rdf:bag>
</vCard:GROUP>
Vendor Notification:
Vendor notified on 20031225: <jared (at) fatpumpkins (dot) org [email concealed]>: This is fixed in the next revision VCard4.1J
Credits:
doe <doe (at) sansteachyourself (dot) org [email concealed]> for the initial idea.
Lance Spitzner lance (at) honeynet (dot) org. [email concealed] Lance Spitzner is a geek who constantly plays with computers, especially network security.
dme <dm (at) punkybrewster (dot) com [email concealed]> for the phone call to discuss.
--
____________________________________________________
Get your own Hello Kitty email @ www.sanriotown.com
Powered by Outblaze
[ reply ]