Skype Input Validation Flaw in 'mobile phone' Profile Entry Permits Cross-Site Scripting Attacks - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (VoIP) > Skype

Vendors: Skype Technologies

Skype Input Validation Flaw in 'mobile phone' Profile Entry Permits Cross-Site Scripting Attacks

SecurityTracker Alert ID: 1025789

SecurityTracker URL: http://securitytracker.com/id/1025789

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jul 16 2011

Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Exploit Included: Yes

Version(s): 5.3.0.120 and prior versions

Description: A vulnerability was reported in Skype. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input in the The "mobile phone" profile entry before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Skype software and will run in the security context of that application. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the application, access data recently submitted by the target user via web form to the application, or take actions on the application acting as the target user.

A demonstration exploit is provided:

"><iframe src='' onload=alert('mphone')>

The original advisory is available at:

http://www.noptrix.net/advisories/skype_xss.txt

Levent 'noptrix' Kayan reported this vulnerability.

Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Skype software, access data recently submitted by the target user, or take actions on the application acting as the target user.

Solution: No solution was available at the time of this entry.

Vendor URL: www.skype.com/ (Links to External Site)

Cause: Input validation error

Underlying OS: UNIX (OS X), Windows (Any)

Message History: None.

Source Message Contents

Date: Wed, 13 Jul 2011 16:08:48 +0200
Subject: [Full-disclosure] Skype <= 5.3.0.120 persistent Cross-Site Scripting Issue

Within I will disclose a platform-neutral Cross-site scripting
vulnerability in Skype which can be exploited to hijack user's session
IDs or compromise user's browser/system. The vulnerability is caused by
poor validation and sanitization of input/output.

Links:
PoC and advisory can be found here:
http://www.noptrix.net/advisories/skype_xss.txt
for a demonstration see: http://www.noptrix.net/tmp/skype_xss.png


cheers,
noptrix

-- 
Name: Levent 'noptrix' Kayan
E-Mail: noptrix@lamergarten.net
GPG key: 0x014652c0
Key fingerprint: ABEF 4B4B 5D93 32B8 D423 A623 823D 4162 0146 52C0 
Homepage: http://www.noptrix.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC