===============================================================================
|                                                                             |
          ~    .__ °.__   0       o                    ^   .__ °__  `´
   °____) __ __|  | | °|   ______°____ 0 ____  __ _________|__|/  |_ ___.__.
   /    \|  | °\  |°|  | °/  ___// __ \_/ ___\|  | °\_  __ \ o\   __<   |  |
  | o°|  \  |  /  |_|  |__\___ \\  ___/\ °\___| o|  /|  | \/  ||  |° \___ O|
  |___|  /____/|____/____/____ °>\___  >\___  >____/ |__|° |__||__|  / ____|
  `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/  ``´```´```´´´´`´``0_o\/´´`´´

                          PUBLIC SECURITY ADVISORY
|                                                                             |
===============================================================================                  


~|Title|: 

ICQ - Persistent Cross Site Scripting Vulnerability


~|Author|:

noptrix


~|Date|:

07-26-2011


~|Vendor|:

ICQ - http://www.icq.com/


~|Affected Product|:

ICQ Client in version <= 7.5


~|Affected Platforms|:

Windows (XP, Vista, 7)


~|Vulnerability Class|:

Cross Site Scripting


~|Description|:

ICQ suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the profile entries.


~|Proof of Concept (or Exploit)|:

The following Javascript payload can be used as profile entries to trigger
the described vulnerability:

--- SNIP ---

"><iframe src=z onload=alert('xss_p0wer_lol') <

--- SNIP ---

For a PoC demonstration see:

    [+] http://www.nullsecurity.net/tmp/icq_cli_xss.png
    [+] http://www.nullsecurity.net/tmp/icq_cli_xss2.png


~|Impact|:

An attacker could trivially hijack session IDs of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and
operating system of the victim.


~|Threat Level|:

High


~|Status|:

Fixed.


~|Disclaimer|:

nullsecurity.net hereby emphasize, that the information which is published here are
for education purposes only. nullsecurity.net does not take any responsibility for
any abuse or misusage!

                Copyright (c) 2011 - nullsecurity.net