[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20051124025004.32883.qmail@web26902.mail.ukl.yahoo.com>
Date: Thu, 24 Nov 2005 03:50:04 +0100 (CET)
From: Will Wesley <willwesleyccna@...oo.de>
To: Richard Fuchshuber <richardfuch@...oo.com.br>,
bugtraq@...urityfocus.com
Subject: RE: XSS on Yahoo Mail
--- Richard Fuchshuber <richardfuch@...oo.com.br>
schrieb:
>
> Hi,
>
> I've noticed a strange behavior in "Yahoo! Mail"
> when dealing with html
> attachments. It's possible to insert data into the
> "Yahoo! Mail" html
> interface.
>
> For example, with the following code in an html
> attachment it's possible
> to insert "Your profile is out of date, please
> update clicking here" above
> the button "Check Mail".
>
> <?
> <TABLE border="1" cellspacing="1" cellpadding="0">
> <TR>Your profile is out of date, please update <a
> href="www.blabla.com">clicking here.</a></TR>
> </TABLE>
>
> I think this could be used in phishing scam.
>
> For a screenshot, see [1]. The circulated text was
> inserted into interface
> of the "Yahoo! Mail" through an email with the
> above code as an html
> attachment.
>
> I tried to contact "Yahoo!" several times, without
> success.
>
> [1] - http://richard.computeiro.com/yahoo_bug.jpg
This is not exactly a problem with Yahoo!, but rather
a problem with the way browsers tend to render HTML
when forced to deal with broken tags. Your "<?
<table....> is not needed to accomplish the same
thing, since a browser will consider everything from <
to the next > as a tag. Since <? is not recognized the
whole thing is ignored.
The real problem is that you are injecting a TR
element into the middle of a TD, then closing the
table without first closing the TD. Any web developer
who would do such a thing is a moron, and your browser
does the best it can to make sense of it. You might
try asking Yahoo how to turn HTML off, or simply use
POP with a text only reader to work around this.
- Will Wesley, BSCS
http://wieso.blogdrive.com
___________________________________________________________
Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de
Powered by blists - more mailing lists