lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 29 Jun 2010 08:21:26 -0700
From: Chris Evans <scarybeasts@...il.com>
To: pratul agrawal <pratulag@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk, security@...oo.com, info@...t-in.org.in
Subject: Re: yahoomail dom based xss vulnerability

On Mon, Jun 14, 2010 at 9:50 PM, pratul agrawal <pratulag@...oo.com> wrote:

> Yahoo mail Dom Based Cross Site Scripting
>
>                      Founder: Pratul Agrawal <pratulag[at]yahoo[dot]com>
> DescriptionService: Webmail
>
> Vendor: Yahoo mail, and possibly others
>
> Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks
>
> Severity: High
>

I've been meaning to reply to this for a while.

I'm not picking on you in particular. I'm picking on the industry trend to
escalate severities to "high" and even "critical" for issues of no
particular concern.

Losing focus on the bugs that are _actually_ of "high" or "critical"
severity is a very bad thing.

In this instance, it would appear that the victim has to follow a list of
instructions -- including pasting a suspicious piece of script into a text
field -- in order for them to be exploited. It is of lesser severity than a
persisted XSS (0 suspicious link clicks to exploit) and also of lesser
severity than even a reflected XSS (1 suspicious link clicks to exploit).
In fact, if we assume a model where we can simply persuade the victim to
operate under this level of the attacker's instruction, we might as well ask
the victim to paste a javascript URI into the URL bar. Or simply ask the
victim to enter text such as attacker@...l.com in a UI control for a
forwarding address.

The vulnerability described in "steps to reproduce" cannot realistically be
considered to be of "high" severity.


Cheers
Chris


>
> Tested on: Microsoft IE 7.0
>
> Details:
>
> Yahoo mail filter fails to detect script attributes in combination with
> the style attribute as a tag, leaving everyone using yahoo mail service
> with MSIE vulnerable to Cross Site Scripting including Cookie Theft and
> relogin attacks.
>
> Impact:
>
> This is totally a dom based xss attack. an application takes the user
> suplied data and directly feed it into the API designed to show the Newly
> created folder name n the yahoomail. Throug this an attacker can easily
> perform a cookie theft attack, Site defacement attack and many more.Steps
> To Reproduce1. Login the yahoomail with valid credentials.
>
> 2. Click on inbox.
>
> 3. Now click on Move < [New Folder].
>
> 4. Now enter the javascript "><script>alert('yahoo')</script> in the field
> given for creating new folder.
>
> 5. Press OK and the script get executed. yahhhhooooo
> Best Regards,
> Pratul Agrawal
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ