Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] XSS with UTF-7 in yahoo.com

from [HASEGAWA Yosuke] Network Security [Permanent Link]
Subject: [Full-disclosure] XSS with UTF-7 in yahoo.com
Date: Mon, 26 Nov 2007 10:42:39 +0900 
XSS with UTF-7 in yahoo.com

Abstract:
XSS with UTF-7 was found in yahoo.com (already fixed).
Although charset was specified in HTTP response header, but
charset-name was incorrect so XSS occurred.


PoC:
http://search.yahoo.com/search?p=%2BADw-/title%2BAD4-%2BADw-script%2BAD4-alert(document.cookie)%2BADw-/script%2BAD4-&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8&eo=euc

Details:
The "euc" is specified for output charset with "eo" parameter,
so responded HTTP header from Yahoo is like as:
--
Content-Type: text/html; charset=EUC
--

"euc" is not registered as correct charset name for IE.
IE recognizes only charset names Hardocorded in MLang.dll
like as "EUC-JP", "EUC-KR", "UTF-8" and so on.

Therefore, an automatic detection function for encoding works,
and detect as "UTF-7".

Typical incorrect charset name in japanese web pages are followings:

utf8 - Idiomatic expression of "UTF-8" hyphen falls out.
euc - Idiomatic expression of "EUC-JP"
jis - Idiomatic expression of "ISO-2022-JP"
MS932 / MS932 / CP942C - Comparable encodings to Shift_JIS on Java
Windows-31J - IANA registered name for Codepage 932, but not
registered in Windows.

Status:
Nov 16 2007 reported to Yahoo and was fixed immediately.

-- 
HASEGAWA Yosuke
    yosuke.hasegawa@gmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] XSS with UTF-7 in yahoo.com, HASEGAWA Yosuke <=
Previous by Date:  [Full-disclosure] [ GLSA 200711-34 ] CSTeX: Multiple vulnerabilities, Pierre-Yves Rofes
Next by Date:  [Full-disclosure] False advertisting and possible click fraud about n3td3v, worried security
Previous by Thread:  [Full-disclosure] [ GLSA 200711-34 ] CSTeX: Multiple vulnerabilities, Pierre-Yves Rofes
Next by Thread:  [Full-disclosure] False advertisting and possible click fraud about n3td3v, worried security
Indexes:  [Date] [Thread] [Top] [All Lists]