[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4b6ee931040925141641ba53b8@mail.gmail.com>
From: xploitable at gmail.com (xploitable)
Subject: Yahoo! Store Security Advisory
On Sat, 25 Sep 2004 22:11:27 +0100, xploitable <xploitable@...il.com> wrote:
>
>
> On Fri, 24 Sep 2004 00:44:05 -0400, Stuart Moore
> <smoore.fd@...urityglobal.net> wrote:
> > Yahoo! Store Security Advisory
> >
> > Advisory: http://securitytracker.com/id?1011403
> > Date: September 23, 2004
> > Vendor: Yahoo!
> > Product: Yahoo! Store
> > Status: Fixed by the vendor; Coordinated release
> > Credit: Ben Efros
> > benjamin@...uy.org
> > http://www.citiprice.com/
> >
> > Description:
> >
> > Ben Efros reported the following vulnerability in the Yahoo! Store
> > shopping cart to SecurityTracker <bugs@...uritytracker.com> on August
> > 15, 2004.
> >
> > A remote user can effectively alter the price of merchandise being
> > placed into their shopping cart.
> >
> > A remote user can submit modified HTML to the affected commerce site
> > with an unauthorized item option or with a valid option that has been
> > price-modified. The system will compute the order using the price of
> > the option, which can be a positive or negative value. If the merchant
> > does not review the order prior to fulfillment, the item may be sold for
> > the incorrect price.
> >
> > The 'options' select item lists are intended to be used to define
> > separately priced purchasing options, such as additional accessories,
> > different sizes, extended warranties, and express shipping.
> >
> > An example of a select item option is provided:
> >
> > <SELECT NAME="Express Shipping">
> > <OPTION>No</OPTION>
> > <OPTION>Yes (+8.95)</OPTION>
> > </SELECT>
> >
> > A remote user can modify the price of the select item option to an
> > arbitrary value, even to a negative number. If an item is purchased
> > with a negative price option selected, then the price of the order will
> > be reduced by the negative amount selected.
> >
> > If a merchant does not use options, a remote user can still add an
> > arbitrary option with an arbitrary price.
> >
> > Notification Timeline:
> >
> > August 15, 2004 - Vendor notification
> > September 8, 2004 - Vendor fix
> > September 8, 2004 - Merchant notification
> > September 23, 2004 - Public advisory
> >
> > Solution: The vendor issued a production fix on September 8, 2004. The
> > fix adds an "Item Options Validation" setting for merchants so that
> > merchants can automatically reject unrecognized options. The default
> > configuration for existing merchants is to reject unrecognized options.
> >
> > The vendor has described the new option at:
> >
> > http://help.yahoo.com/help/us/store/store-44.html
> >
> > SecurityTracker thanks Ben Efros for reporting this flaw and Yahoo! for
> > their response and remediation efforts.
> >
> > This advisory is copyright 2004 by SecurityTracker (SecurityGlobal.net
> > LLC). Permission is granted to redistribute this advisory in electronic
> > form in its entirety and without modification.
> >
> > http://securitytracker.com/
> > bugs@...uritytracker.com
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
<snip>
Status: Fixed by the vendor; Coordinated release
</snip>
Yahoo! Team
are ignorant security professionals who work 9 to 5 and don't actually
have a clue about -real- security issues at Yahoo!
Yahoo! Security team deserve no respect from the security community,
they treat people who disclose major vulnerabilities like shit.
Fuck Yahoo! Security Team and Scott Renfro for not fixing his e-mail
headers so it doesn't disclose his Corporate ID..
I sent the vulnerability to Yahoo! months and months ago, but even
though they sign each e-mail with "Yahoo! Security Contact", they
don't seem to mind if the headers show the -real- sender.
Yahoo! Security Team in Sunnyvale seem to have changed the header
<corpID@...alhost> to <yahoo@...alhost>, but Scott Renfro from the
Dallas Incident Response Address seems to leave his mail client with
his corp ID showing.
Lets not forget how stats.yahoo.com got hacked because of silly
employees leaving ID's lying about. Oh I forgot the media never got to
find out about that hack ..
They have now.
Bye,
xploitable
--
http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*.
Powered by blists - more mailing lists