ICQ advertisement banner cross-application scripting

icq-banner-xas (26386) The risk level is classified as MediumMedium Risk

Description:

ICQ is vulnerable to cross-application scripting caused by improper validation of banner advertisements. A remote attacker could create a specially-crafted banner advertisement to bypass cross-domain security and execute arbitrary script within the victim's Microsoft Internet Explorer "My Computer Zone".


Consequences:

Gain Access

Remedy:

No remedy available as of September 1, 2014.

References:

  • Full-Disclosure Mailing List, Tue May 09 2006 - 05:23:59 CDT: ICQ Client Cross-Application Scripting (XAS).
  • ICQ.com Web site: ICQ.
  • BID-17913: ICQ Banner Ad Cross-Application Scripting Vulnerability
  • CVE-2006-2303: Cross-Application Scripting (XAS) vulnerability in ICQ Client 5.04 build 2321 and earlier allows remote attackers to inject arbitrary web script from one application into another via a banner, which is processed in the My Computer zone using the Internet Explorer COM object.
  • OSVDB ID: 25432: ICQ Advertisement Banners Cross-Application Scripting
  • SA20010: ICQ Advertisement Banners "My Computer" Zone Script Execution
  • SECTRACK ID: 1016045: ICQ Bug May Let Remote Users Inject and Execute Scripting Code

Platforms Affected:

  • ICQ ICQ 5.04 and prior

Reported:

May 09, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page