+-----------------------------------------------------------------------------+ | noptrix.net - Public Security Advisory | +-----------------------------------------------------------------------------+ Date: ----- 07/26/2011 Vendor: ------- ICQ website - http://www.icq.com/ Affected Software: ------------------ Software: icq.com website Version: current Affected Web-Browsers: ------------------- Mozilla Firefox, Chrome, Internet Explorer, Safari Vulnerability Class: -------------------- Cross-Site Scripting Description: ------------ icq.com suffers from a persistent Cross-Site Scripting vulnerability due to a lack of input validation and output sanitization of the "feeds" entry. Other input fields may also be affected. Proof of Concept: ----------------- The following Javascript payload can be used as "feed" entry to trigger the described vulnerability: --- SNIP --- "><iframe src=a onload=alert('feed') < --- SNIP --- For a PoC demonstration see: - http://www.noptrix.net/tmp/icq_web_xss.png Impact: ------- An attacker could trivially hijack session IDs of remote users and leverage the vulnerability to increase the attack vector to the underlying web-browser and operating system of the victim. Threat Level: ------------- High! Notes: ------ To the whole world: Funny thing: Anglophone and German media refer me as Armenian in their Skype XSS articles, yet all the Turkish news sites insists that I am Turkish. For the record, I am Armenian and my people have been persecuted by Turkey for hundreds of years. Thanks.