ICQ versions 7.5 and below suffer from a cross site scripting vulnerability.
31d83c74f94445f24399187764dee9ca50087a3f3e58258be59ecbd5143e257d
+-----------------------------------------------------------------------------+
| noptrix.net - Public Security Advisory |
+-----------------------------------------------------------------------------+
Date:
-----
07/26/2011
Vendor:
-------
ICQ - https://www.icq.com/
Affected Software:
------------------
Software: ICQ
Version: <= 7.5
Affected Platforms:
-------------------
Windows (XP, Vista, 7)
Vulnerability Class:
--------------------
Cross-Site Scripting
Description:
------------
ICQ suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the profile entries.
Proof of Concept:
-----------------
The following Javascript payload can be used as profile entries to trigger
the described vulnerability:
--- SNIP ---
"><iframe src=z onload=alert('xss_p0wer_lol') <
--- SNIP ---
For a PoC demonstration see:
- https://www.noptrix.net/tmp/icq_cli_xss.png
Impact:
-------
An attacker could trivially hijack session IDs of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and
operating system of the victim.
Threat Level:
-------------
High
Solution:
---------
icq.com has to validate the input characters and sanitize the output.
Notes:
------
To the whole world: Funny thing: Anglophone and German media refer me as
Armenian in their Skype XSS articles, yet all the Turkish news sites insists
that I am Turkish. For the record, I am Armenian and my people have been
persecuted by Turkey for hundreds of years. Thanks.