Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Yahoo mail Cross Site Scripting vulnerability

from [simo] Network Security [Permanent Link]
Subject: [Full-disclosure] Yahoo mail Cross Site Scripting vulnerability
Date: Sun, 25 Dec 2005 18:00:29 -0000 (GMT) 
Title: Yahoo mail Cross Site Scripting

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Date: 22 December 2005
MorX Security Research Team
http://www.morx.org

Service: Webmail

Vendor: Yahoo mail, and possibly others

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Severity: High

Tested on: Microsoft IE 6.0

Details:

Yahoo mail filter fails to detect script attributes in combination with
the style attribute as a tag, leaving everyone using yahoo mail service
with MSIE vulnerable to Cross Site Scripting including Cookie Theft and
relogin attacks. This is a high risk security vulnerability because the
attacker wont have to make the victim click on any link, all he/she has
to do is to send the javascript code as an html email to the target and
once the victim open the email the malicious code will be executed in
his/her browser.

Impact:

an attacker can send the infiltred code as an html email to a yahoo mail
user with MSIE. Once the victim open the malicious email the javascript
content will be executed in the the target browser. This will allow user's
session cookie theft, giving the attacker access to the victim mail box
for about 24 hours (until the cookie expires) and also other types of
attacks like reloging.

Exemple of Exploit code:

<STYLE onload="alert('Yahoo mail ! cookies exploit by _6mO_HaCk, click OK
now to view your cookie ;)'); alert(document.cookie)"> </STYLE>

Screen captures:

www.morx.org/yahoo-cookie.JPG
www.morx.org/yahoo-cookie1.JPG

Solution:

Switch to firefox, or disable script execution

Vendor-status:

i didnt contact yahoo, because i contacted them previously regarding a
similar vulnerability, and yes they fixed it "silently" without even
sending me a thank you email, frankly i didnt really appreciate that.

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The exploit code is to be used on your OWN email account. I
cannot be held responsible
for any of the above.

Note:

Yahoo is vulnerable to others similar vulnerabilites, that was just one
exemple of many, demonstrating how it's easy to bypass webmail filters,
for more information or details please contact me at simo_at_morx_org.
merry christmas everybody and happy new year. if you like this advisory
then buy me a blue motherfuc*er next saturday on Alumni club, Schaumburg,
IL :D
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Multiple Translation websites Cross Site Scripting vulnerability: Google, Altavista, IBM, freetranslation, worldlingo, etc, simo
Next by Date:  MDKSA-2005:236 - Updated fetchmail packages fix vulnerability, Mandriva Security Team
Previous by Thread:  [Full-disclosure] Multiple Translation websites Cross Site Scripting vulnerability: Google, Altavista, IBM, freetranslation, worldlingo, etc, simo
Next by Thread:  Yahoo mail Cross Site Scripting vulnerability, simo
Indexes:  [Date] [Thread] [Top] [All Lists]