ICQ WEB Portal multiple Cross Site Scripting vulnerability

From: acz [iSecureLabs] (aurelien.cabezon@iSecureLabs.com)
Date: 09/20/99

Previous message: Dawes, Rogan (ZA - Johannesburg): "RE: Websphere cookie/sessionid predictable"
In reply to: César González: "Re: New vulnerability in IIS4.0/5.0"
Next in thread: Paul McGovern: "Re: New vulnerability in IIS4.0/5.0"
Next in thread: C?sar Gonz?lez: "Re: New vulnerability in IIS4.0/5.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "acz [iSecureLabs]" <aurelien.cabezon@iSecureLabs.com>
To: <Bugtraq@securityfocus.com>
Subject: ICQ WEB Portal multiple Cross Site Scripting vulnerability
Date: Mon, 20 Sep 1999 12:30:29 +0200
Message-ID: <GCEDJILAIFDLIEDHEIMPKEEHCMAA.aurelien.cabezon@iSecureLabs.com>

--[ ICQ WEB Portal multiple Cross Site Scripting vulnerability ]--

Problem discovered: 19/09/2001
by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com |
http://www.iSecureLabs.com

--[ Overview ]--

The icq portal suffer from multiple Cross Site Scripting Vulnerability.
http://www.icq.com

-- [ Description ]--

ICQ web portal may inadvertently include malicious HTML tags or script in a
dynamically generated page based on unvalidated input from untrustworthy
sources.
This can be a problem when a web server does not adequately ensure that
generated pages are properly encoded to prevent unintended execution of
scripts, and when input from a form is not validated to prevent malicious
HTML from being presented to the user.

This search script http://search.icq.com/dirsearch.adp does not check
anymore for malicious HTML or Java Script code.

--[ Exemple 1 ]--
http://search.icq.com/dirsearch.adp?query=>Hello
!</h1><script>alert('hello');</script>est&wh=is&users=1

Screen Shots :
http://www.isecurelabs.com/advisory/icq1.jpg
http://www.isecurelabs.com/advisory/icq2.jpg

--[ Exemple 2 ]--
http://web.icq.com/foo/>alert('hello');</script>

Screen Shots :
http://www.isecurelabs.com/advisory/icq3.jpg
http://www.isecurelabs.com/advisory/icq4.jpg

--[ Fix ]--

ICQ Team has been alerted

--[ Informations about CSS ]--

http://httpd.apache.org/info/css-security/apache_specific.html
http://www.cert.org/advisories/CA-2000-02.html

---
Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com
http://www.iSecureLabs.com | French Security Portal
http://www.isecurelabs.com/advisory/icq-css.html

Previous message: Dawes, Rogan (ZA - Johannesburg): "RE: Websphere cookie/sessionid predictable"
In reply to: César González: "Re: New vulnerability in IIS4.0/5.0"
Next in thread: Paul McGovern: "Re: New vulnerability in IIS4.0/5.0"
Next in thread: C?sar Gonz?lez: "Re: New vulnerability in IIS4.0/5.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[UNIX] Splatt Forum XSS Vulnerability in icon Posting
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada. ... Any user can inject malicious HTML or JavaScript code whenever he creates ...
(Securiteam)
Re: How can i deactivate paste in a rich text edit box ?
... > The problem i still have is that i want to send the client a checker ... Remember that in non IE/Mozilla browsers, the textarea will be just ... since they can also contain malicious HTML. ... allowed than what my script would let through. ...
(comp.lang.javascript)