Skype and KPhone vulnerabilities

[Candace Holman <>]

Title: Skype Technologies Skype URI Handling Remote File Download
Skype from Skype Technologies is peer-to-peer communications software that 
provides for Internet-based voice communications. Skype is prone to an 
arbitrary file download vulnerability. This issue is due to improper Skype 
URI handling. This issue is triggered by specially crafted, malformed Skype 
URIs. If an unsuspecting user follows these URIs, Skype will be launched, and 
an attacker-specified file will automatically be downloaded from the victim 
user's computer to the attacker. This issue allows remote attackers to 
transfer files from one Skype user to another, provided the recipient user 
has previously approved downloads.
Ref: http://www.skype.com/security/skype-sb-2006-001.html

Title: KPhone Local Information Disclosure
Description: KPhone is a voice-over-internet phone implementation. The
"kphonerc" configuration file is created with world-readable
permission which contains SIP phone passwords and configuration
information. KPhone version 4.2 is affected.
Ref: http://www.securityfocus.com/bid/18049

Candace