+-----------------------------------------------------------------------------+
|                   noptrix.net - Public Security Advisory                    |
+-----------------------------------------------------------------------------+


Date:
-----
08/17/2011

Vendor:
-------
Skype Limited - http://www.skype.com/

Affected Software:
------------------
Software: Skype
Version: <= 5.5.0.113

Affected Platforms:
-------------------
Windows (XP, Vista, 7)

Vulnerability Class:
--------------------
HTML/(Javascript) code injection

Description:
------------
Skype suffers from a persistent code injection vulnerability due to a lack
of input validation and output sanitization of following profile entries:
- home
- office
- mobile

Proof of Concept:
-----------------
The following HTML codes can be used to trigger the described vulnerability:

--- SNIP ---

Home Phone Number:
<b>INJECTION HERE</b>

Office Phone Number:
<center><i>INJECTION HERE</i></center>

Mobile Phone Number:
<a href="#">INJECTION HERE</a>

--- SNIP ---

For a PoC demonstration see:
    - http://www.noptrix.net/tmp/skype_inject.png

Impact:
-------
An attacker could for example inject HTML/Javascript code. It has not been
verified though, if it's possible to hijack cookies or to attack the underlying
operating system. Attacker could give a try using extern .js files...

Threat Level:
-------------
Low - ?

Solution:
---------
skype.com has to validate the input characters and sanitize the output.

Status:
-------
Skype hasn't fixed the issue yet.