ICQ.com suffers from a cross site scripting vulnerability due to a lack of input validation and output sanitization of the feeds entry.
e673c9765f4e32f91e0d8407606fc5b8601cfc4f2f9fbfe3988f0be19164a4a6
+-----------------------------------------------------------------------------+
| noptrix.net - Public Security Advisory |
+-----------------------------------------------------------------------------+
Date:
-----
07/26/2011
Vendor:
-------
ICQ website - http://www.icq.com/
Affected Software:
------------------
Software: icq.com website
Version: current
Affected Web-Browsers:
-------------------
Mozilla Firefox, Chrome, Internet Explorer, Safari
Vulnerability Class:
--------------------
Cross-Site Scripting
Description:
------------
icq.com suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the "feeds" entry.
Other input fields may also be affected.
Proof of Concept:
-----------------
The following Javascript payload can be used as "feed" entry to trigger
the described vulnerability:
--- SNIP ---
"><iframe src=a onload=alert('feed') <
--- SNIP ---
For a PoC demonstration see:
- http://www.noptrix.net/tmp/icq_web_xss.png
Impact:
-------
An attacker could trivially hijack session IDs of remote users and leverage the
vulnerability to increase the attack vector to the underlying web-browser and
operating system of the victim.
Threat Level:
-------------
High!
Notes:
------
To the whole world: Funny thing: Anglophone and German media refer me as
Armenian in their Skype XSS articles, yet all the Turkish news sites insists
that I am Turkish. For the record, I am Armenian and my people have been
persecuted by Turkey for hundreds of years. Thanks.