Title: ICQ Forced User Addition Vulnerability
Severity: MODERATE
Description:
ICQ is an instant messaging application from Mirabilis.
When ICQ is installed on Windows systems, Microsoft Internet Explorer is configured to handle the 'application/x-icq' Content-Type. This is for integration of ICQ with web-browsing and with the web-based components of the ICQ service.
A webserver can force the addition of arbitrary ICQ UINs to a target user's ICQ contact list if they are running ICQ and browsing with Microsoft Internet Explorer. If a webserver returns contact information with the correct content-type, ICQ will add the contact to the contact list without user consent (provided that authorization is not required). In more recent versions of the ICQ client, the user is prompted to add a user to the contact list.
Affected Products:
- Mirabilis ICQ 2000.0.0 A
- Mirabilis ICQ 2000.0.0 b Build 3278
- Mirabilis ICQ 2001 a
References:
- Mirabilis: ICQ Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
