+-----------------------------------------------------------------------------+
|                   noptrix.net - Public Security Advisory                    |
+-----------------------------------------------------------------------------+


Date:
-----
07/26/2011

Vendor:
-------
ICQ - http://www.icq.com/

Affected Software:
------------------
Software: ICQ
Version: <= 7.5

Affected Platforms:
-------------------
Windows (XP, Vista, 7)

Vulnerability Class:
--------------------
Cross-Site Scripting

Description:
------------
ICQ suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the profile entries.

Proof of Concept:
-----------------
The following Javascript payload can be used as profile entries to trigger
the described vulnerability:

--- SNIP ---

"><iframe src=z onload=alert('xss_p0wer_lol') <

--- SNIP ---

For a PoC demonstration see:
    - http://www.noptrix.net/tmp/icq_cli_xss.png

Impact:
-------
An attacker could trivially hijack session IDs of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and
operating system of the victim.

Threat Level:
-------------
High

Solution:
---------
icq.com has to validate the input characters and sanitize the output.

Notes:
------
To the whole world: Funny thing: Anglophone and German media refer me as
Armenian in their Skype XSS articles, yet all the Turkish news sites insists
that I am Turkish. For the record, I am Armenian and my people have been
persecuted by Turkey for hundreds of years. Thanks.