Tlen.pl versions 5.23.4.1 and below suffer from a remote script execution vulnerability.
e8ca200d31b825e6ab2973601348deb5fb5ffa6c0c79b7ae7681ef26fa074147
Product: Tlen.pl (<= 5.23.4.1)
Vendor: o2.pl Sp. z o.o. (http://www.tlen.pl/)
Impact: Remote script execution
Severity: High
Authors: Blazej Miga <bla@man.poznan.pl>,
Jaroslaw Sajko <sloik@man.poznan.pl>
Date: 20/12/04
[ISSUE]
Tlen.pl is the instant messenger application used by more than 700 000
users.
There is a vulnerability in message parsing which allows remote execution
of arbitrary script.
[DETAILS]
There is a parsing error. We can send a malicious string which has an url
inside. This url can be a javascript code for example. Code will execute
when the window with the message pops up.
[POF]
Send such a string to any receipent:
www.tlen.pl"style=background-image:url(javascript:alert(%22You%20are%20owned!%22));.pl
[SOLUTION]
Please upgrade to the newest version (5.23.4.2)
Copyright Poznan Supercomputing and Networking Center