ICQ Cross-site scripting exploit

A Security Researcher from MorX found ICQ web sites that are prone to Cross site-scripting exploits. The attacker can execute almost any scripts. Here’s a proof of concept:

  • http://www.icq.com/whitepages/sea<BLOKED>rch_result.php?online=on&home_country_code=0&age_group=&gender=%3Cscript%3Ealert(‘Hello%20World’)%3C/script%3E&interest_text=&photo=1

When you click the link above, it is suppose to display a message box that says “Hello World”. But it appears that ICQ has already patched the said search_result.php file.

Again, to protect you from this type of attacks, you may set your IE’s security settings to High. Here’s how:

  1. Go to Control Panel and double-click Internet Options.
  2. Click on Security Tab
  3. Click on the Internet with a globe icon.
  4. Move the slider up to High
  5. Click Apply button then click Ok.

For more information about this vulnerability, click here.

Leave a Reply

Your email address will not be published. Required fields are marked *