lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 28 Jan 2007 01:13:40 +0530
From: "3B.Security Researcher" <>
To: "Ahmed Sheipani" <>
Subject: Re: Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger

Hi friends,

Bingo! It works on the Y!messenger version and have verified
it on my setup.
Quite strange indeed! Good finding ;) Let us see if it can be "really"


On 1/28/07, Ahmed Sheipani <> wrote:
> Hello
> I have just tested this with Yahoo! Messenger , and it does not
> seem to work..
> However, I noticed that after setting the FirstName parameter to a very long
> one, the automatic notification message does not appear anymore.
> -----Original Message-----
> From: []
> Sent: Friday, January 26, 2007 7:27 AM
> To:
> Subject: Cross-site Scripting with Local Privilege Vulnerability in Yahoo
> Messenger
> Importance: High
> I've found a cross-site scripting vulnerability in Yahoo! Messenger, a
> popular advertisement-supported instant messaging client and protocol
> provided by Yahoo! Attacker can inject a malicious script with local
> privilege to Y!M notification message.
> The vulnerability is discovered in the chat dialog. The automatic
> notification message of Yahoo! Messenger, for instance "Hai Nam  Luke has
> signed out. (1/26/2007 10:03 PM)" or "Hai Nam Luke has signed back in.
> (1/26/2007 10:04 PM)" can be easily exploited with injecting a malicious
> script to. Script is disabled in chat messages but system notification
> messasage. That Yahoo Messenger uses Internet Explorer to display messages,
> the malicious script will be run with local privilege in the Internet
> Explorer Temporary Folder. This serious vulnerability could allow attacker
> gain the victim's system access.
> Inject unexpected script also causes other Yahoo! Messenger's errors.
>        Yahoo! Messenger and previous versions
> + Firstname: Hai Nam Luke Hai Nam Luke Hai Nam Luke Hai Nam Luke . ( as long
> as victim cant see the lastname)
>        + Lastname:  <img src="javascript:alert('Executed from ' +
> top.location)" >
>        + Request to add victim ID to your contact list.
> + Once victim accepts your request, send him a message and change your
> online status (Available -> Invisible)
> This vulnerability was reported to Yahoo!
> Hai Nam Luke <>
> K46A - NEU

Powered by blists - more mailing lists