icq-xss.txt

`Title: ICQ Cross Site Scripting  
  
Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>  
Date: 10 January 2006  
MorX Security Research Team  
http://www.morx.org  
  
Service: Web/Chat  
  
Vendor: ICQ.com  
  
Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks  
  
Severity: Medium/High  
  
Tested on: Microsoft IE 6.0 and FireFox 1.5  
  
Description:  
  
(From Wikipedia, the free encyclopedia)  
  
ICQ is an instant messaging computer program, created by Mirabilis, an  
Israeli start-up company based in Tel-Aviv.  
The program was first released in November, 1996, and was the first  
all-internet instant messaging program.  
ICQ was awarded two major patents by the U.S. patent office. The name ICQ  
is a play on the phrase "I seek you".  
  
ICQ allows the sending of text messages with offline support, URLs,  
multi-user character-by-character chats,  
resumable file transfers, SMSes, greeting cards and more. Other features  
included a searchable user directory and  
POP3 email support. Even though such features have been available since  
around 2000, many of the main competitors  
such as AOL Instant Messenger, MSN Messenger and Yahoo! Messenger have  
failed to implement such power-user oriented  
features even to this day. Instead, they have targeted younger users with  
an avalanche of colors, avatars, and animations.  
  
ICQ users are identified by numbers called UIN, distributed in sequential  
order (though it is rumored there are gaps  
in the sequence). New users are now given a UIN of well over 300,000,000,  
and low numbers (six digits or fewer) have  
been auctioned on eBay by users who signed up in ICQ's early days.  
  
  
Details:  
  
ICQ.com search script (search_result.php) is vulnerable to cross-site  
scripting attacks. This problem is due to a failure  
in the application to properly sanitize user input, the input can be  
passed to the vulnerable script in 2 variables  
(gender and home_country_code).  
  
Impact:  
  
an attacker can exploit the vulnerable script to have arbitrary script  
code executed in the browser of an authentified  
ICQ user in the context of the ICQ webpage. resulting in the theft of  
cookie-based authentication giving the attacker  
temporary access to the victim's account, as well as other type of attacks.  
  
Affected Script with PoC:  
  
http://www.icq.com/whitepages/search_result.php?online=on&home_country_code=0&age_group=&gender=<script>alert('VULNERABLE')</script>&interest_text=&photo=1  
  
http://www.icq.com/whitepages/search_result.php?online=on&home_country_code=<script>alert(document.cookie)</script>&age_group=&gender=1&interest_text=&photo=1  
  
Detailed exploitation with screen captures:  
  
http://www.morx.org/iseekyowned.html  
  
Disclaimer:  
  
this entire document is for eductional, testing and demonstrating purpose  
only. Modification use and/or publishing this information is entirely on  
your OWN risk. The information provided in this advisory is to be  
used/tested on your OWN machine/Account. I cannot be held responsible for  
any of the above.  
`