{"id":8247,"date":"2017-07-06T14:19:15","date_gmt":"2017-07-06T22:19:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/06\/news-2021\/"},"modified":"2017-07-06T14:19:15","modified_gmt":"2017-07-06T22:19:15","slug":"news-2021","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/07\/06\/news-2021\/","title":{"rendered":"SSD Advisory \u2013  Skype For Business XSS"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 06 Jul 2017 05:45:53 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3269\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3269');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes an XSS vulnerability found in Skype for Business.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> The vendor has released patches to address this vulnerability and has only provided these details in response to our query on the status: &#8220;implemented some changes in the latest version to sanitize HTML input&#8221;<\/p>\n<p><span id=\"more-3269\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> One of Skype For Business features is the ability to send HTML code via chat and Skype For Business will render the HTML code.<\/p>\n<p>The vulnerability allows an attacker to send malicious HTML code that will render and once the victim will click on the rendered picture he will redirect to a website of your choice.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> You can use the following steps to recreate the vulnerability:<br \/> 1. Copy and run the following massage in &#8220;<a href=\"http:\/\/jsfiddle.net\" target=\"_blank\">jsfiddle.net<\/a>&#8220;:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-595eb762d4ab3065474918\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;xht:acronym style=&#8221;font:7604% serif; font-family:roman; background-color:#FF0000;&#8221;&gt;&lt;a href=&#8221;\/\/evil.com&#8221;&gt;X&lt;\/a&gt;&lt;\/xht:acronym&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<p>2. Copy the executed HTML code (view screenshot jsfiddle.jpg)<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/jsfiddle.jpg\" data-slb-active=\"1\" data-slb-asset=\"281674581\" data-slb-internal=\"0\" data-slb-group=\"3269\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/jsfiddle-300x156.jpg\" alt=\"\" width=\"300\" height=\"156\" class=\"alignnone size-medium wp-image-3270\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/jsfiddle-300x156.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/jsfiddle-768x400.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/jsfiddle-1024x533.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/jsfiddle.jpg 1381w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>3. Paste directly into the chat window of the victim, press enter.<\/p>\n<p>4. The HTML code submitted has been executed correctly.<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\" alt=\"Print Friendly\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3269\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/jsfiddle-300x156.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 06 Jul 2017 05:45:53 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes an XSS vulnerability found in Skype for Business. Credit An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program. Vendor response The vendor has released patches to address this vulnerability and has only provided these details in response to our query on the status: &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3269\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013  Skype For Business XSS<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11640,10757],"class_list":["post-8247","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-cross-site-scripting","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8247"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8247\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}