+-----------------------------------------------------------------------------+ | noptrix.net - Public Security Advisory | +-----------------------------------------------------------------------------+ Date: ----- 07/26/2011 Vendor: ------- ICQ - http://www.icq.com/ Affected Software: ------------------ Software: ICQ Version: <= 7.5 Affected Platforms: ------------------- Windows (XP, Vista, 7) Vulnerability Class: -------------------- Cross-Site Scripting Description: ------------ ICQ suffers from a persistent Cross-Site Scripting vulnerability due to a lack of input validation and output sanitization of the profile entries. Proof of Concept: ----------------- The following Javascript payload can be used as profile entries to trigger the described vulnerability: --- SNIP --- "><iframe src=z onload=alert('xss_p0wer_lol') < --- SNIP --- For a PoC demonstration see: - http://www.noptrix.net/tmp/icq_cli_xss.png Impact: ------- An attacker could trivially hijack session IDs of remote users and leverage the vulnerability to increase the attack vector to the underlying software and operating system of the victim. Threat Level: ------------- High Solution: --------- icq.com has to validate the input characters and sanitize the output. Notes: ------ To the whole world: Funny thing: Anglophone and German media refer me as Armenian in their Skype XSS articles, yet all the Turkish news sites insists that I am Turkish. For the record, I am Armenian and my people have been persecuted by Turkey for hundreds of years. Thanks.