In new skype video chat, every user is able to insert a video in his own mood.
And this is the result:
1) Prepare your XSS injection
(Pics from critical)
2) Exploit it !
(Pics from critical)
It seems that skype trusts on 3rd part links without control-it !
We were able to find some permanent XSS vectors in dailymotion.com: videos have a ‘Title’ field, which is not properly filtered and returned to user in certain conditions. So it becomes possible to execute malicious script content when user is searching for a video to add to his mood. You may also test it by entering word ‘saugumas’ in dailymotion.com video search field.
Original post: ( http://seclists.org/fulldisclosure/2008/Jan/0328.html )
