|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Assephira Consulting (aurelien.cabezon
assephira.com)Date: Mon Sep 20 1999 - 05:43:01 CDT
--[ ICQ Portal multiple Cross Site Scripting vulnerability ]--
Problem discovered: 19/09/2001 by Cabezon Aurélien |
aurelien.cabezoniSecureLabs.com | http://www.iSecureLabs.com
--[ Overview ]--
The icq portal suffer from multiple Cross Site Scripting Vulnerability.
http://www.icq.com
-- [ Description ]--
ICQ web portal may inadvertently include malicious HTML tags or script in a
dynamically generated page based on unvalidated input from untrustworthy
sources.
This can be a problem when a web server does not adequately ensure that
generated pages are properly encoded to prevent unintended execution of
scripts, and when input from a form is not validated to prevent malicious
HTML from being presented to the user.
This search script http://search.icq.com/dirsearch.adp does not check
anymore for malicious HTML or Java Script code.
Exemple 1
Screen Shots:
Exemple 2
Scree Shots:
--[ Fix ]--
ICQ Team has been alerted
--[ Informations about CSS ]--
http://httpd.apache.org/info/css-security/apache_specific.html
http://search.icq.com/dirsearch.adp?query=
');</script>est&wh=is&users=1
http://www.isecurelabs.com/advisory/icq1.jpg
http://www.isecurelabs.com/advisory/icq2.jpg
http://web.icq.com/foo/
http://www.isecurelabs.com/advisory/icq3.jpg
http://www.isecurelabs.com/advisory/icq4.jpg
http://www.cert.org/advisories/CA-2000-02.html
---
Cabezon Aurélien | aurelien.cabezon
iSecureLabs.com
