| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1132795399.7506.2.camel@localhost> Date: Wed, 23 Nov 2005 20:23:19 -0500 From: Personal Account <jetflash@...pop.com> To: bugtraq@...urityfocus.com Subject: Re: XSS on Yahoo Mail Doing mouse over shows the truth. On Wed, 2005-11-23 at 12:44, Richard Fuchshuber wrote: > Hi, > > I've noticed a strange behavior in "Yahoo! Mail" when dealing with html > attachments. It's possible to insert data into the "Yahoo! Mail" html > interface. > > For example, with the following code in an html attachment it's possible > to insert "Your profile is out of date, please update clicking here" above > the button "Check Mail". > > <? > <TABLE border="1" cellspacing="1" cellpadding="0"> > <TR>Your profile is out of date, please update <a > href="www.blabla.com">clicking here.</a></TR> > </TABLE> > > I think this could be used in phishing scam. > > For a screenshot, see [1]. The circulated text was inserted into interface > of the "Yahoo! Mail" through an email with the above code as an html > attachment. > > I tried to contact "Yahoo!" several times, without success. > > > [1] - http://richard.computeiro.com/yahoo_bug.jpg > > > > > > > > > > > > _______________________________________________________ > Yahoo! Acesso Grátis: Internet rápida e grátis. > Instale o discador agora! > http://br.acesso.yahoo.com/ >
Powered by blists - more mailing lists