RE: Skype videomood XSS

To: "'Miroslav Lu?inskij'" <miroslav.lucinskij@xxxxxxxxxxx>
Subject: RE: Skype videomood XSS
From: "avivra" <avivra@xxxxxxxxx>
Date: Thu, 17 Jan 2008 22:23:46 +0200
Cc: <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=SrbyUVofTzjXNJQRuHjVTId1/6HLL+oDI+FjUrF+mLg=; b=Dn1gaq0C/F9559hjacjd9Cq0BsXf8HoSsBwwVfQh12KVTvX4yOWcPmy2L3s7526Y5XqgGJ81+L1i1HEmM2i0IMfi7VOH0wHkHWEVw6WQyjk6Kw3DCS14SsOQ8tCP4mP6CUwXiNiNzBtuhWWIwNvQBAHW1P/h+tBV/HFk94xgfmA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=QciukFTL4qBqaodRc0pm6CQfFDMbw58ZDunvRhOSxvH1oE/IN7rTAoFUJbZav3+tZPCtetL2h/53inqH+mRKBXEkgQOZGtOigZgwXdvPbZKkmrZKIezprIt5+l9mbMmw1jajihwRddM6MmSHaXJJ8sa1vItJqoJdfbQisIPYLf4=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AchZRts5QVtye6ZvRyqtaq6Kag8vXw==

> I want to share some of our thoughts on Skype security. 
> I will try to be short: Skype has a feature, which allows user to insert a
video into his mood - video selection is done through skype partners and is
based on regular WEB functionality. 
> So this feature practically inherits WEB's problems - in this particular
case it's XSS attacks.

This is actually an exploitable Cross-Zone Scripting vulnerability.
More information here:
http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx

--Aviv.

Prev by Date: [CSNC] OKI C5510MFP Printer Password Disclosure
Next by Date: CORE-2007-1119: CORE FORCE Kernel Buffer Overflow
Previous by thread: [CSNC] OKI C5510MFP Printer Password Disclosure
Next by thread: CORE-2007-1119: CORE FORCE Kernel Buffer Overflow
Index(es):
- Date
- Thread