• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Skype Web Content Zone Remote Code Execution Vulnerability

The following video demonstrates an example exploit. The DailyMotion website service allows users to upload videos for public viewing. Due to an input-validation issue affecting the website, attackers can inject arbitrary code in the 'Title' field when uploading videos. When a Skype user accesses DailyMotion via Skype's 'Add video to chat' page and the malicious title is displayed, the attacker's code executes.

http://www.youtube.com/watch?v=FcuQrLZ4AU0

Metacafe videos are also reported to be an attack vector for this issue. Proof-of-concept code is reported to exist, but not publicly available.