Bugtraq mailing list archives
RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
From: rms () privacyfoundation org (Richard M. Smith)
Date: Fri, 24 Aug 2001 13:36:24 -0400
I suspect this bug is also exploitable from HTML email by including the magic ICQ URL in an <IFRAME> tag embedded in the message. Richard -----Original Message----- From: AreS [mailto:ares () security-downloads com] Sent: Wednesday, August 22, 2001 6:14 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Topic: ICQ Forced Auto-Add Users Announced: 2001-08-17 Affects: ICQ 200x* up to 2001a Alpha DISCLAIMER: *********** THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. I. Problem Description ********************** ICQ is a popular and free chat program, with over 108,022,319 users all over the world. When ICQ is installed, it adds a Content-Type to Microsoft Internet Exploder, the "application/x-icq" type. When IE receives "Content-Type: application/x-icq" from a web server and following content:
Current thread:
- Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users AreS (Aug 22)
- Re: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Gustavo Molina (Aug 24)
- RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Richard M. Smith (Aug 24)
- RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Chris (Aug 25)