+-----------------------------------------------------------------------------+
|                   noptrix.net - Public Security Advisory                    |
+-----------------------------------------------------------------------------+


Date:
-----
07/13/2011

Vendor:
-------
Skype Limited - http://www.skype.com/

Affected Software:
------------------
Software: Skype
Version: <= 5.3.0.120

Affected Platforms:
-------------------
Windows (XP, Vista, 7)
Mac OS X <= 10.6.8

Vulnerability Class:
--------------------
Cross-Site Scripting

Description:
------------
Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the "mobile phone" profile entry.
Other input fields may also be affected.

Proof of Concept:
-----------------
The following Javascript payload can be used as "mobile phone" entry to trigger
the described vulnerability:

--- SNIP ---

"><iframe src='' onload=alert('mphone')>

--- SNIP ---

For a PoC demonstration see http://www.noptrix.net/tmp/skype_xss.png

Impact:
-------
An attacker could trivially hijack session IDs of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and
operating system of the victim.

Threat Level:
-------------
High!

Solution:
---------
skype.com has to validate the input characters and sanitize the output.

Vendor Contact:
---------------
The vendor will be contacted. 13th or 14th of July 2011.