Skype versions 5.3.0.120 and below suffer from a persistent cross site scripting vulnerability.
6502c1a5c7b0f0b745b272603838a61f211ef0fcd561fff81c2468592c539233
+-----------------------------------------------------------------------------+
| noptrix.net - Public Security Advisory |
+-----------------------------------------------------------------------------+
Date:
-----
07/13/2011
Vendor:
-------
Skype Limited - http://www.skype.com/
Affected Software:
------------------
Software: Skype
Version: <= 5.3.0.120
Affected Platforms:
-------------------
Windows (XP, Vista, 7)
Mac OS X <= 10.6.8
Vulnerability Class:
--------------------
Cross-Site Scripting
Description:
------------
Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the "mobile phone" profile entry.
Other input fields may also be affected.
Proof of Concept:
-----------------
The following Javascript payload can be used as "mobile phone" entry to trigger
the described vulnerability:
--- SNIP ---
"><iframe src='' onload=alert('mphone')>
--- SNIP ---
For a PoC demonstration see http://www.noptrix.net/tmp/skype_xss.png
Impact:
-------
An attacker could trivially hijack session IDs of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and
operating system of the victim.
Threat Level:
-------------
High!
Solution:
---------
skype.com has to validate the input characters and sanitize the output.
Vendor Contact:
---------------
The vendor will be contacted. 13th or 14th of July 2011.