[37308] in bugtraq
Hotfoon Ver 4.0 Highv Risk
daemon@ATHENA.MIT.EDU (saudi linux)
Wed Nov 10 23:10:42 2004
Date: 10 Nov 2004 15:29:26 -0000
Message-ID: <20041110152926.1763.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: saudi linux <ksa2ksa@yahoo.com>
To: bugtraq@securityfocus.com
What is Hotfoon?
Hotfoon is a new type of Internet telephony that is very inexpensive, easy to setup and use.
Hotfoon's current service enables you to:
Make long distance calls at near local rates.
Talk to other Hotfoon users for free.
Ver:4.0
APP web site :http://www.hotfoon.com/
==========================================================================
vuln
the attacker can exploit chat with user by send a link to random user and hoyfoon directly open the link in IE or the web broser
whithout alert user.
==========================================================================
exploit
1)open hotfoon program
2)select chat to random user
3)in chat window ,send the URL that contains bad code such as ( XSS,IE exploit,or EXE file with webdownloader ..etc )
4)the web broser or IE (tested in IE) will directly open the link without alert user.
==========================================================================
Saudi Linux
