Bugtraq mailing list archives

RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

From: rms () privacyfoundation org (Richard M. Smith)
Date: Fri, 24 Aug 2001 13:36:24 -0400

I suspect this bug is also exploitable from HTML email by including the
magic ICQ URL in an <IFRAME> tag embedded in the message.

Richard

-----Original Message-----
From: AreS [mailto:ares () security-downloads com] 
Sent: Wednesday, August 22, 2001 6:14 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users

Topic: ICQ Forced Auto-Add Users
Announced: 2001-08-17
Affects: ICQ 200x* up to 2001a Alpha

DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN  BASED  UPON   TRIAL  AND  ERROR  RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS  100%  CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT  PRIOR  NOTICE.

I. Problem Description
**********************
ICQ is a popular and free chat program, with over 108,022,319 users all
over the world.  When ICQ is  installed,  it  adds  a  Content-Type  to
Microsoft Internet Exploder, the "application/x-icq" type. When IE
receives  "Content-Type: application/x-icq" from  a web  server and
following content:

Current thread:

Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users AreS (Aug 22)
- Re: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Gustavo Molina (Aug 24)
- RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Richard M. Smith (Aug 24)
  - RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Chris (Aug 25)