Skip to content

Kévin Dunglas

Founder of Les-Tilleuls.coop (worker-owned cooperative). Creator of API Platform, FrankenPHP, Mercure.rocks, Vulcain.rocks and of some Symfony components.

Menu
  • Talks
  • Resume
  • Sponsor me
  • Contact
Menu

MessengerFX allows your contacts to take control over your WLM

Posted on May 16, 2008October 6, 2008 by Kévin Dunglas

I have paste some HTML code to a Edouard using MessengerFX, a popular web Windows Live Messenger client based on AJAX, and – surprise, the code has been interpreted. Oh?! A XSS vulnerability ? Yes, and such a big one!

Every software’s feature is available through Javascript. Any contact of a MessengerFX user can crash his browser, and furthermore get its contact list, add, remove, ban and unban contacts, read and send messages to any other contact of the victim ! Basically, an attacker just need to be listed in the contacts list of an MessengerFX user and this attacker can take control over the account.

And the worst is coming… Using Javascript, it seems easy to write a worm that will, i.e. recursively delete every contacts of the MessengerFX users – say using the vulnerability to get the contact list and delete them one by one. The worm can also try to shutdown the WLM network with a DDOS attack by a heavy load of messages at the same timeusing infected MessengerFX users WLM accounts.

MessengerFX is popular and growing, such a flaw can be very dangerous for a lot of people. I have send a mail to the development team and I hope they will correct their application soon… Because the fix is as simple as a htmlspecialchars() call. MessengerFX users, don’t use it anymore and try Meebo or the official Microsoft WLM web based client. Web developers, never trust the user-submitted data and always escape thos inputs!!

Edit october 6 2008 : the problem is now corrected.

Related posts:

  1. MessengerFX’s security problem corrected
  2. Vulnérabilité critique dans MessengerFX
  3. La faille de sécurité touchant MessengerFX semble corrigée
  4. PHP TorControl, a library to control TOR

2 thoughts on “MessengerFX allows your contacts to take control over your WLM”

  1. Pingback: MessengerFX’s security problem corrected - Un développeur freelance à Lille
  2. iris says:
    August 3, 2009 at 6:25 pm

    ola

    Reply

Leave a ReplyCancel reply

Social

  • Bluesky
  • GitHub
  • LinkedIn
  • Mastodon
  • X
  • YouTube

Links

  • API Platform
  • FrankenPHP
  • Les-Tilleuls.coop
  • Mercure.rocks
  • Vulcain.rocks

Subscribe to this blog

Top Posts & Pages

  • FrankenPHP’s New Features: Thread Autoscaling, Mostly Static Binaries, deb and RPM Packages, Caddy 2.10…
  • FrankenPHP: The Modern Php App Server, written in Go
  • JSON Columns and Doctrine DBAL 3 Upgrade
  • FrankenPHP 1.3: Massive Performance Improvements, Watcher Mode, Dedicated Prometheus Metrics, and More
  • FrankenPHP Is Now Officially Supported by The PHP Foundation
  • Symfony's New Native Docker Support (Symfony World)
  • Webperf: Boost Your PHP Apps With 103 Early Hints
  • Running Laravel Apps With FrankenPHP (Laracon EU)
  • Securely Access Private Git Repositories and Composer Packages in Docker Builds
  • 6x faster Docker builds for Symfony and API Platform projects

Tags

Apache API API Platform Buzz Caddy Docker Doctrine FrankenPHP Go Google GraphQL HTTP/2 Hydra hypermedia Hébergement Javascript JSON-LD Kubernetes La Coopérative des Tilleuls Les-Tilleuls.coop Lille Linux Mac Mercure Messagerie Instantanée MySQL performance PHP Punk Rock Python React REST Rock'n'Roll Schema.org Security SEO SEO Symfony Symfony Live Sécurité Ubuntu Web 2.0 webperf XHTML XML

Archives

Categories

  • DevOps (85)
    • Ubuntu (68)
  • Go (19)
  • JavaScript (46)
  • Mercure (7)
  • Opinions (91)
  • PHP (172)
    • API Platform (77)
    • FrankenPHP (11)
    • Laravel (1)
    • Symfony (97)
    • Wordpress (6)
  • Python (14)
  • Security (15)
  • SEO (25)
  • Talks (46)
© 2025 Kévin Dunglas | Powered by Minimalist Blog WordPress Theme