Title: ====== Microsoft Skype Shop - GiftCards Persistent Vulnerability Date: ===== 2013-01-30 References: =========== http://www.vulnerability-lab.com/get_content.php?id=826 MICROSOFT SECURITY RESPONSE CENTER (MSRC) ID: 13603 MICROSOFT SECURITY RESPONSE CENTER (MSRC) MANAGER: CL VL-ID: ===== 826 Common Vulnerability Scoring System: ==================================== 3.5 Introduction: ============= Skype is a proprietary voice-over-Internet Protocol service and software application originally created in 2003 by Swedish entrepreneur Niklas Zennström and his Danish partner Janus Friis. It has been owned by Microsoft since 2011. The service allows users to communicate with peers by voice, video, and instant messaging over the Internet. Phone calls may be placed to recipients on the traditional telephone networks. Calls to other users within the Skype service are free of charge, while calls to landline telephones and mobile phones are charged via a debit-based user account system. Skype has also become popular for its additional features, including file transfer, and videoconferencing. Competitors include SIP and H.323-based services, such as Linphone, as well as the Google Talk service, Mumble and Hall.com. Skype has 663 million registered users as of September 2011. The network is operated by Microsoft, which has its Skype division headquarters in Luxembourg. Most of the development team and 44% of the overall employees of the division are situated in Tallinn and Tartu, Estonia. Unlike most other VoIP services, Skype is a hybrid peer-to-peer and client–server system. It makes use of background processing on computers running Skype software. Skype`s original proposed name (Sky Peer-to-Peer) reflects this fact. Some network administrators have banned Skype on corporate, government, home, and education networks, citing reasons such as inappropriate usage of resources, excessive bandwidth usage, and security concerns. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple persistent persistent web vulnerabilities in the Microsoft Skype GiftCards application. Report-Timeline: ================ 2013-01-03: Researcher Notification & Coordination 2013-01-09: Vendor Notification 2013-01-10: Vendor Response/Feedback 2013-01-29: Vendor Fix/Patch (MSRC) 2013-01-30: Public Disclosure Status: ======== Published Affected Products: ================== Microsoft Corp. Product: Skype Shop 2013 Q1 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistent input validation web vulnerabilities are detected in the official Microsoft Skype GiftCards application. The vulnerability allows an attacker to inject own malicious script code in the vulnerable module on application side (persistent). The vulnerabilities are located in the skype shop gift cards module when processing to list the giftcard of the buyer or customer. The script code will be injected via the send giftcard function and allows an attacker to inject persistent script code as name, message and information details. The code will be executed in the review module but also at the end in the giftcard which will be send to the customer or friend. The vulnerability can be exploited without application user account and with low required user interaction. Successful exploitation of the persistent input validation web vulnerability result in persistent session hijacking, persistent phishing, external redirect, external malware loads and persistent vulnerable module context manipulation. Vulnerable Service(s): [+] Microsoft Corp. - Skype [Shop Service] Vulnerable Module(s): [+] Skype GiftCards Vulnerable Parameter(s): [+] An (to)- Name [+] Von (from) - Name [+] Vorname oder Rufname [+] Gift Card Message Body Proof of Concept: ================= The vulnerability can be exploited by remote attackers without privileged application user account and with low required user interaction. For demonstration or reproduce ... Review: Skype GiftCards - Name

Hallo, <[PERSISTENT INJECTED SCRIPT CODE!]">%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]">.
Review: Skype GiftCards - Ecard and Message Text

An <[PERSISTENT INJECTED SCRIPT CODE!]%20_[PERSISTENT INJECTED SCRIPT CODE!]">,