ICQ Cross Site Scripting Vulnerability

[simo () morx org]

Title: ICQ Cross Site Scripting

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Date: 10 January 2006
MorX Security Research Team
http://www.morx.org

Service: Web/Chat

Vendor: ICQ.com

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Severity: Medium/High

Tested on: Microsoft IE 6.0 and FireFox 1.5

Description:

(From Wikipedia, the free encyclopedia)

ICQ is an instant messaging computer program, created by Mirabilis, an
Israeli start-up company based in Tel-Aviv.
The program was first released in November, 1996, and was the first
all-internet instant messaging program.
ICQ was awarded two major patents by the U.S. patent office. The name ICQ
is a play on the phrase "I seek you".

ICQ allows the sending of text messages with offline support, URLs,
multi-user character-by-character chats,
resumable file transfers, SMSes, greeting cards and more. Other features
included a searchable user directory and
POP3 email support. Even though such features have been available since
around 2000, many of the main competitors
such as AOL Instant Messenger, MSN Messenger and Yahoo! Messenger have
failed to implement such power-user oriented
features even to this day. Instead, they have targeted younger users with
an avalanche of colors, avatars, and animations.

ICQ users are identified by numbers called UIN, distributed in sequential
order (though it is rumored there are gaps
 in the sequence). New users are now given a UIN of well over 300,000,000,
and low numbers (six digits or fewer) have
 been auctioned on eBay by users who signed up in ICQ's early days.


Details:

ICQ.com search script (search_result.php) is vulnerable to cross-site
scripting attacks. This problem is due to a failure
in the application  to properly sanitize user input, the input can be
passed to the vulnerable script in 2 variables
(gender and home_country_code).

Impact:

an attacker can exploit the vulnerable script to have arbitrary script
code executed in the browser of an authentified
ICQ user in the context of the ICQ webpage. resulting in the theft of
cookie-based authentication giving the attacker
temporary access to the victim's account, as well as other type of attacks.

Affected Script with PoC:

http://www.icq.com/whitepages/search_result.php?online=on&home_country_code=0&age_group=&gender=<script>alert('VULNERABLE')</script>&interest_text=&photo=1

http://www.icq.com/whitepages/search_result.php?online=on&home_country_code=<script>alert(document.cookie)</script>&age_group=&gender=1&interest_text=&photo=1

Detailed exploitation with screen captures:

http://www.morx.org/iseekyowned.html

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this
information is entirely on your OWN risk. The information provided in this
advisory is to be used/tested on your OWN
machine/Account. I cannot be held responsible for any of the above.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/