Monday, August 22, 2011

Skype Zeroday HTML/Javascript code injection

Noptri Public Security has released a working Skype zero day vulnerability with POC for Skype. Skype users need be aware of this vulnerability.






Vendor:
=======

Skype - http://www.skype.com/





Affected Product:

=================

Skype in version <= 5.5.0.113





Affected Platforms:

===================

Windows (XP, Vista, 7)


Problem Description:

====================

Skype suffers from a persistent code injection vulnerability due to a lack

of input validation and output sanitization of following profile entries:

    

    [+] home

    [+] office

    [+] mobile

POC of Skype 0day vulnerability 

The following HTML codes can be used to trigger the described vulnerability:



--- SNIP ---



    [+] Home Phone Number:

    <b>INJECTION HERE</b>



    [+] Office Phone Number:

    <center><i>INJECTION HERE</i></center>

    

    [+] Mobile Phone Number:

    <a href="#">INJECTION HERE</a>



--- SNIP ---
By using this code An attacker could for example inject HTML/Javascript code. It has not been verified though, if it's possible to hijack cookies or to attack the underlying operating system. Attacker could give a try using extern .js files










Posted by





at
8:13 AM



















Labels:
,
,

















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)