lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060418143258.56550.qmail@web54410.mail.yahoo.com>
Date: Tue Apr 18 15:33:19 2006
From: cesarc56 at yahoo.com (Cesar)
Subject: [Argeniss] Alert - Yahoo! Webmail XSS

It's a Yahoo! Mail XSS vulnerability.
The XSS exploit was really cool, I could identify that
something was wrong because IE status bar displayed
for a couple of seconds a weird URL, address bar
didn't change (MS please change this behaviour!), but
you can be sure that with this exploit 99% of people
would bite. Yahoo! Mail once in a while will ask you
to re login again so it's not so anormal. The exploit
could have been crafted better if it have displayed
some message about session time out or something and
not just redirecting to login page without any
message.
I guess they wanted my password for trying on other
accounts.

Cesar.

Morning Wood wrote: 
> reflecting on this... 
> 
> the offending url you give is
http://w00tynetwork.com/x/ 
> which contains a fake yahoo login ( for webmail ) 
> (( and other exploits embedded within the site )) 
> 
> 
> you state this is a Yahoo Email vulnerability. 
> 
> stop me if im wrong... 
> why would anyone be vulnerable to a Yahoo login
redirect phish, if in 
> fact they are already logged in to read the mail in
the first place. 



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ