RE: Skype videomood XSS
- To: "'Miroslav Lu?inskij'" <miroslav.lucinskij@xxxxxxxxxxx>
- Subject: RE: Skype videomood XSS
- From: "avivra" <avivra@xxxxxxxxx>
- Date: Thu, 17 Jan 2008 22:23:46 +0200
- Cc: <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=SrbyUVofTzjXNJQRuHjVTId1/6HLL+oDI+FjUrF+mLg=; b=Dn1gaq0C/F9559hjacjd9Cq0BsXf8HoSsBwwVfQh12KVTvX4yOWcPmy2L3s7526Y5XqgGJ81+L1i1HEmM2i0IMfi7VOH0wHkHWEVw6WQyjk6Kw3DCS14SsOQ8tCP4mP6CUwXiNiNzBtuhWWIwNvQBAHW1P/h+tBV/HFk94xgfmA=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=QciukFTL4qBqaodRc0pm6CQfFDMbw58ZDunvRhOSxvH1oE/IN7rTAoFUJbZav3+tZPCtetL2h/53inqH+mRKBXEkgQOZGtOigZgwXdvPbZKkmrZKIezprIt5+l9mbMmw1jajihwRddM6MmSHaXJJ8sa1vItJqoJdfbQisIPYLf4=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Thread-index: AchZRts5QVtye6ZvRyqtaq6Kag8vXw==
> I want to share some of our thoughts on Skype security.
> I will try to be short: Skype has a feature, which allows user to insert a
video into his mood - video selection is done through skype partners and is
based on regular WEB functionality.
> So this feature practically inherits WEB's problems - in this particular
case it's XSS attacks.
This is actually an exploitable Cross-Zone Scripting vulnerability.
More information here:
http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx
--Aviv.