lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <007d01c3455e$82e31b70$0100a8c0@grotedoos>
From: SkyLined at edup.tudelft.nl (Berend-Jan Wever)
Subject: Yahoo XSS

XSS bugs in webpages are so yesterday... I spent one day searching for XSS
holes about a year ago and there was not one site that wasn't vulnerable in
one way or another. (Real Player, Adobe, Napster, Altavista, Yahoo,
Netscape, Ebay, Amazon, Redhat, Microsoft, Google, Cnet, Anonymizer, Lycos,
...) Most of these are still not fixed, even though I reported them all.
More interesting offcourse are XSS bugs in yahoo webmail:
[SCRIPT][STYLE]*{width:expression(alert("whoops"))}[/STYLE][/SCRIPT]
Put that in HTML mail to a yahoo user and you've got yourself another vector
for mass-mailing worms. I allready wrote a PoC mass-mailing worm in jscript
for hotmail, since they've had XSS issues in the past too. Hotmail is one of
the very few sites that took these vulnerabilities seriously and fixed them
within a few hours. Even though their virus scanning partner, McAfee was
unreachable when I wanted to show them their scanners didn't detect my
jscript worm.

Cheers!

SkyLined


----- Original Message ----- 
From: "morning_wood" <se_cur_ity@...mail.com>
To: <full-disclosure@...ts.netsys.com>; "0day" <0day@...hackers.org>
Sent: Tuesday, July 08, 2003 6:53
Subject: [Full-Disclosure] Yahoo XSS


> Interesting...
>
>
http://search.yahoo.com/search?p=%3Cscript%3Ealert%28%22You+are+vunerable+to+xss+-+discovered+by+morning_wood+http%3A%2F%2Fexploitlabs.com%22%29%3C%2Fscript%3E&ei=UTF-8&fr=msgr-buddy&vm=i&n=20&fl=0&x=wrt
>
>
> morning_wood
> http://exploitlabs.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ