Network Security: Detailed info on Re: XSS on Yahoo Mail

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Vuln-Dev

[Top] [All Lists]

Re: XSS on Yahoo Mail

from [Jim Ley] Network Security

[Permanent Link]

Subject:	Re: XSS on Yahoo Mail
Date:	Thu, 24 Nov 2005 19:28:45 -0000


"Will Wesley" <willwesleyccna@yahoo.de> wrote in message 
20051124025004.32883.qmail@web26902.mail.ukl.yahoo.com">news:20051124025004.32883.qmail@web26902.mail.ukl.yahoo.com...

This is not exactly a problem with Yahoo!, but rather
a problem with the way browsers tend to render HTML
when forced to deal with broken tags.


So it's a problem with Yahoo, as they allow the email, to write to places on 
the screen that is not part of the email.  I agree this is certainly down to 
the liberalness of the browsers parser, but that doesn't mean yahoo can 
ignore it, it's just a demonstration of how difficult a job it is for people 
who want to accept arbitrary HTML to be secure for their user

Of course there is a pretty simple solution, which is to just use an IFRAME, 
then there's no way the email to escape into the surrounding chrome.

Jim.

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
XSS on Yahoo Mail, Richard Fuchshuber RE: XSS on Yahoo Mail, Will Wesley Re: XSS on Yahoo Mail, Steven Champeon Re: XSS on Yahoo Mail, Will Wesley Re: XSS on Yahoo Mail, Jim Ley <= RE: XSS on Yahoo Mail, Richard Fuchshuber Re: XSS on Yahoo Mail, Personal Account Re: XSS on Yahoo Mail, little . hacker Re: XSS on Yahoo Mail, Matan Peled Re: XSS on Yahoo Mail, alireza hassani Re: XSS on Yahoo Mail, Lance James

Previous by Date:	Re: XSS on Yahoo Mail, Will Wesley
Next by Date:	Re: XSS on Yahoo Mail, Personal Account
Previous by Thread:	Re: XSS on Yahoo Mail, Will Wesley
Next by Thread:	RE: XSS on Yahoo Mail, Richard Fuchshuber
Indexes:	[Date] [Thread] [Top] [All Lists]