lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <006b01c8642f$1982c460$4c884d20$@com>
Date: Thu, 31 Jan 2008 19:31:21 +0200
From: "avivra" <avivra@...il.com>
To: <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>
Subject: Attackers can SkypeFind you

A patch for the cross-zone scripting vulnerability in Skype is still not
available. As I mentioned in my first advisory, Skype renders HTML pages in
several dialogs.
One of these dialogs is used by a feature called "SkypeFind". This feature,
available from version 3.1, allows Skype users promote and review businesses
around the world. Sadly, it could also be used by attackers to own Skype
users' machines.

Within this feature any Skype user can add a new business and review an
existing business. Skype does a great job sanitizing the data provided in
the business item entry, and also the text provided in the user's reviews.
Unfortunately, they forgot to sanitize the full name of the reviewers. So,
an attacker can inject a malicious script in his Skype's Full Name, and
whenever a victim will view a business which was reviewed by the attacker,
in the SkypeFind dialog, the malicious script will be executed in an
unlocked Local Zone!

I've contacted Skype security team, and they have provided a quick server
side fix for the full name issue.
Unfortunately, this is not enough! I'm worried that there are probably other
ways to inject a script to this dialog. 
I advised Skype to disable this feature until they provide a patch for the
cross-zone scripting vulnerability. For no good reason, they have decided to
decline my advice.

More information:
http://aviv.raffon.net/2008/01/31/AttackersCanSkypeFindYou.aspx 

--Aviv.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ