lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <05d501c69030$6eb34470$650ba8c0@DORKA>
Date: Thu Jun 15 05:03:52 2006
From: very at unprivate.com (php0t)
Subject: Vunerability in yahoo webmail.

That doesn't work any more.
Another one, for Internet Explorer however does work that i found the
other day.
Send yourself one using my POC :)
 
http://zmailhost.ath.cx/
or
http://zmail.zorro.hu/
 
php0t / zorro.hu
 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of wac
Sent: Thursday, June 15, 2006 5:51 AM
To: David Loyall
Cc: full-disclosure@...ts.grok.org.uk; abuse@...oo.com
Subject: Re: [Full-disclosure] Vunerability in yahoo webmail.


Hi folks:
Can I get this file somewhere else? Like a web site or something. This
gmail thing detects it as a virus. I doub't yahoo will let it pass
still, that's wht i don;t ask anyne to send it to me ;). I wonder who
asked to have an stupid scanner in the e-mail that you can't disable. I
don't even have one on my computer!!! Anyway I understand I'm not common
kind of people ;). Thanx in advance. 

Waldo


On 6/12/06, David Loyall <david.loyall@...il.com> wrote: 

Hello, all.

I just received an email with an html attachment, on a yahoo account.

When I opened the mail, yahoo automatically displayed the html, and
executed the code within.  What the hell. =)  It forwarded the message
to my contacts list, (or some other set of addresses, dunno,) and
redirected my browser to a website. 

I'm of to a BBQ, and I don't care about yahoo.  So I'm not even going to
read the code and see how this happens.  I'm attaching the html file as
a text file.  Enjoy!
 
Oh, I've CC'd abuse@...oo.com, but if someone else would give them a
proper write-up, and encourage them to close the hole, that'd be
wonderful. 
 
Cheers,
--David Loyall
Omaha, Nebraska
David  <http://david.loyall.googlepages.com> Loyall

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060615/9f983052/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ