Rediff Bol's ActiveX control allows a webpage to read the user's Windows Address Book (WAB) contacts. Version 7.0 is affected.
ed16e9cd4a0a461f65e16cd6971b90b7c52e34664b75db20d8cac3a78f0aed87Rediff Bol 7.0 WAB Contacts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Program : Rediff Bol 7.0
It is a popular instant messenger from Rediff.com
Related URL : https://messenger.rediff.com/newbol/
Discovered by : Gregory R. Panakkal
Vulnerability Description :
Rediff Bol's ActiveX control (Fetch.FetchContact.1 /
Fetch.dll) allows a webpage
to read the user's Windows Address Book (WAB)
contacts. The method "FullAddressBook"
returns the WAB contact list in XML format
Proof Of Concept:
[script]
var Obj = new ActiveXObject("Fetch.FetchContact.1");
alert(Obj.FullAddressBook(0,"","",""));
[/script]
Online Demo:
https://www.infogreg.com/security/im/rediff-bol-7-exposes-wab.html
rgds,
Gregory R. Panakkal
https://www.infogreg.com/
__________________________________________________________
Yahoo! India Matrimony: Find your partner online. Go to https://yahoo.shaadi.com
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed