A Security Researcher from MorX found ICQ web sites that are prone to Cross site-scripting exploits. The attacker can execute almost any scripts. Here’s a proof of concept:
- http://www.icq.com/whitepages/sea<BLOKED>rch_result.php?online=on&home_country_code=0
&age_group=&gender=%3Cscript%3Ealert(‘Hello%20World’)%3C/script%3E
&interest_text=&photo=1
When you click the link above, it is suppose to display a message box that says “Hello World”. But it appears that ICQ has already patched the said search_result.php file.
Again, to protect you from this type of attacks, you may set your IE’s security settings to High. Here’s how:
- Go to Control Panel and double-click Internet Options.
- Click on Security Tab
- Click on the Internet with a globe icon.
- Move the slider up to High
- Click Apply button then click Ok.
For more information about this vulnerability, click here.
