+-----------------------------------------------------------------------------+
|                   noptrix.net - Public Security Advisory                    |
+-----------------------------------------------------------------------------+


Date:
-----
07/26/2011

Vendor:
-------
ICQ website - http://www.icq.com/

Affected Software:
------------------
Software: icq.com website
Version: current

Affected Web-Browsers:
-------------------
Mozilla Firefox, Chrome, Internet Explorer, Safari

Vulnerability Class:
--------------------
Cross-Site Scripting

Description:
------------
icq.com suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the "feeds" entry.
Other input fields may also be affected.

Proof of Concept:
-----------------
The following Javascript payload can be used as "feed" entry to trigger
the described vulnerability:

--- SNIP ---

"><iframe src=a onload=alert('feed') <

--- SNIP ---

For a PoC demonstration see:
    - http://www.noptrix.net/tmp/icq_web_xss.png

Impact:
-------
An attacker could trivially hijack session IDs of remote users and leverage the
vulnerability to increase the attack vector to the underlying web-browser and
operating system of the victim.

Threat Level:
-------------
High!

Notes:
------
To the whole world: Funny thing: Anglophone and German media refer me as
Armenian in their Skype XSS articles, yet all the Turkish news sites insists
that I am Turkish. For the record, I am Armenian and my people have been
persecuted by Turkey for hundreds of years. Thanks.