Document Title: =============== Skype Community - Persistent Editor Web Vulnerability Date: ===== 2013-03-28 References: =========== http://www.vulnerability-lab.com/get_content.php?id=707 MICROSOFT SECURITY RESPONSE CENTER (MSRC) ID: 13021bc VL-ID: ===== 707 Common Vulnerability Scoring System: ==================================== 4 Introduction: ============= Skype is a proprietary voice-over-Internet Protocol service and software application originally created in 2003 by Swedish entrepreneur Niklas Zennström and his Danish partner Janus Friis. It has been owned by Microsoft since 2011. The service allows users to communicate with peers by voice, video, and instant messaging over the Internet. Phone calls may be placed to recipients on the traditional telephone networks. Calls to other users within the Skype service are free of charge, while calls to landline telephones and mobile phones are charged via a debit-based user account system. Skype has also become popular for its additional features, including file transfer, and videoconferencing. Competitors include SIP and H.323-based services, such as Linphone, as well as the Google Talk service, Mumble and Hall.com. Skype has 663 million registered users as of September 2011. The network is operated by Microsoft, which has its Skype division headquarters in Luxembourg. Most of the development team and 44% of the overall employees of the division are situated in Tallinn and Tartu, Estonia. Unlike most other VoIP services, Skype is a hybrid peer-to-peer and client–server system. It makes use of background processing on computers running Skype software. Skype`s original proposed name (Sky Peer-to-Peer) reflects this fact. Some network administrators have banned Skype on corporate, government, home, and education networks, citing reasons such as inappropriate usage of resources, excessive bandwidth usage, and security concerns. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype) Abstract: ========= The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Skype Community Website Application. Report-Timeline: ================ 2012-09-26: Researcher Notification & Coordination 2012-09-28: Vendor Notification 2012-10-02: Vendor Response/Feedback 2013-02-22: Vendor Fix/Patch by Check 2013-03-29: Public Disclosure Status: ======== Published Affected Products: ================== Microsoft Corp. Product: Skype Community - Lithium Forums v2012 Q3 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistent input validation vulnerabilities are located in the official Skype Community Website Application. The bug allows remote attackers with low account privileges to inject via editor & replace function own malicious persistent script code. The vulnerabilities are located in the forum editor module with the replace function and the bound vulnerable message titel, subject and link parameters. Remote attackers can compose malicious forum posts to hijack admin/moderator/customer accounts. Successful exploitation result in local persistent web context manipulation, client side phishing or persistent session hijacking via forum messages. Vulnerable Section(s): [+] Skype Community (Forums) - Lithium Forum Vulnerable Module(s): [+] Editor (in combination with the replace all function to execute) Vulnerable Parameter(s): [+] Message Subject, Topic Title & Link Proof of Concept: ================= The vulnerability can be exploited by remote attackers with low or medium required user inter action and with skype application service user account. For demonstration or reproduce ... PoC: