lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Nov 2005 03:50:04 +0100 (CET)
From: Will Wesley <willwesleyccna@...oo.de>
To: Richard Fuchshuber <richardfuch@...oo.com.br>,
	bugtraq@...urityfocus.com
Subject: RE: XSS on Yahoo Mail



--- Richard Fuchshuber <richardfuch@...oo.com.br>
schrieb:

> 
>   Hi,
> 
> I've noticed a strange behavior in "Yahoo! Mail"
> when dealing with html
> attachments. It's possible to insert data into the
> "Yahoo! Mail" html
> interface.
> 
> For example, with the following code in an html
> attachment it's possible
> to insert "Your profile is out of date, please
> update clicking here" above
> the button "Check Mail".
> 
> <?
> <TABLE border="1" cellspacing="1" cellpadding="0">
> <TR>Your profile is out of date, please update <a
> href="www.blabla.com">clicking here.</a></TR>
> </TABLE>
> 
> I think this could be used in phishing scam.
> 
> For a screenshot, see [1]. The circulated text was
> inserted into interface
> of the "Yahoo!  Mail" through an email  with the
> above code  as an html
> attachment.
> 
> I tried to contact "Yahoo!" several times, without
> success.
> 
> [1] - http://richard.computeiro.com/yahoo_bug.jpg

This is not exactly a problem with Yahoo!, but rather
a problem with the way browsers tend to render HTML
when forced to deal with broken tags. Your "<?
<table....> is not needed to accomplish the same
thing, since a browser will consider everything from <
to the next > as a tag. Since <? is not recognized the
whole thing is ignored.

The real problem is that you are injecting a TR
element into the middle of a TD, then closing the
table without first closing the TD. Any web developer
who would do such a thing is a moron, and your browser
does the best it can to make sense of it. You might
try asking Yahoo how to turn HTML off, or simply use
POP with a text only reader to work around this.

- Will Wesley, BSCS
http://wieso.blogdrive.com



	

	
		
___________________________________________________________ 
Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de


Powered by blists - more mailing lists