===============================================================================
|                                                                             |
          ~    .__ °.__   0       o                    ^   .__ °__  `´
   °____) __ __|  | | °|   ______°____ 0 ____  __ _________|__|/  |_ ___.__.
   /    \|  | °\  |°|  | °/  ___// __ \_/ ___\|  | °\_  __ \ o\   __<   |  |
  | o°|  \  |  /  |_|  |__\___ \\  ___/\ °\___| o|  /|  | \/  ||  |° \___ O|
  |___|  /____/|____/____/____ °>\___  >\___  >____/ |__|° |__||__|  / ____|
  `´´`´\/´`nullsecurity team`´\/`´´`´\/`´``´\/  ``´```´```´´´´`´``0_o\/´´`´´

                          PUBLIC SECURITY ADVISORY
|                                                                             |
===============================================================================                  


~|Title|: 

Skype - Persistent Cross Site Scripting Vulnerability


~|Author|:

noptrix


~|Date|:

07-13-2011


~|Vendor|:

Skype - http://www.skype.com/


~|Affected Product|:

Skype in version <= 5.3.0.120


~|Affected Platforms|:

Windows (XP, Vista, 7)
Mac OS X <= 10.6.8


~|Vulnerability Class|:

Cross-Site Scripting


~|Description|:

Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the "mobile phone" profile entry.
Other input fields may also be affected.


~|Proof of Concept (or Exploit)|:

The following Javascript payload can be used as "mobile phone" entry to trigger
the described vulnerability:

--- SNIP ---

"><iframe src='' onload=alert('mphone')>

--- SNIP ---

For a PoC demonstration see:

    [+] http://www.nullsecurity.net/tmp/skype_xss.png
    [+] http://www.youtube.com/watch?v=eIgb9D-0DWs


~|Impact|:

An attacker could trivially hijack session IDs of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and
operating system of the victim.


~|Threat Level|:

High


~|Status|:

Fixed.


~|Notes|:

To the whole world: Funny thing: Anglophone and German media refer me as
Armenian in their Skype XSS articles, yet all the Turkish news sites insists
that I am Turkish. For the record, I am Armenian and my people have been
persecuted by Turkey for hundreds of years. Thanks.


~|Disclaimer|:

nullsecurity.net hereby emphasize, that the information which is published here are
for education purposes only. nullsecurity.net does not take any responsibility for
any abuse or misusage!

                Copyright (c) 2011 - nullsecurity.net