23.08.2011, 16:08
|
#1 (permalink)
|
|
Шпион
Government вне форума
Регистрация: 30.12.2008
Сообщений: 81
ICQ: 596828
|
Skype zero day HTML/(Javascript) code injection
Цитата:
Noptri Public Security Advisory has publised a working skype zero day vulnerability with POC for skype. Skype users need be aware of this vulnerability.
Affected Software:
Software: Skype <= 5.5.0.113
Affected Platforms:
Windows (XP, Vista, 7)
Problem Description:
Skype suffers from a persistent code injection vulnerability due to a lack
of input validation and output sanitization of following profile entries:
[+] home
[+] office
[+] mobile
Proof of Concept:
The following HTML codes can be used to trigger the described vulnerability:
--- SNIP ---
[+] Home Phone Number:
<b>INJECTION HERE</b>
[+] Office Phone Number:
<center><i>INJECTION HERE</i></center>
[+] Mobile Phone Number:
<a href="#">INJECTION HERE</a>
Impact:
An attacker could for example inject HTML/Javascript code. It has not been verified though, if it's possible to hijack cookies or to attack the underlying operating system. Attacker could give a try using extern .js files...
|
Источник: http://www.thehackernews.com/2011/08...ript-code.html
Пока не пофиксили  |
|
|
|
Линейный вид
