| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <577570.285.qm@web52304.mail.re2.yahoo.com>
Date: Sat, 20 Sep 2008 16:09:42 -0700 (PDT)
From: Martin Fallon <mar_fallon@...oo.com.br>
To: full-disclosure@...ts.grok.org.uk
Subject: ITTS012008 - YAHOO WEB MAIL URL REDIR
INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE
http://www.intruders.com.br/
http://www.intruders.org.br/
ADVISORE/0108 - YAHOO WEB MAIL URL REDIR
PRIORITY: MEDIUM
TYPE: Client Side
I - INTRUDERS:
----------------
O Intruders Tiger Team Security is a project from
SecurityLabs (http://www.securitylabs.com.br). It is a group
of researches with more ten years of experience. The group
is expert in penetration tests and special projects like
critic mission.
II - INTRODUCTION:
------------------
Yahoo WEb Mail is one of the greatest web mail system in the internet.
In portuguese, it can be accessed by the url below:
http://mail.yahoo.com.br/
III - DESCRIPTION:
--------------------
Intruders Tiger Team has discovered one condition of URL Redir in the
Yahoo's WEB Mail system that can be exploited in attacks using social
engineer and phishing scams.
The condition of URL Redir can be seen in the follow link:
http://login.yahoo.com/config/exit?.direct=2&.done=http://www.intruders.com.br/&.src=ym&.intl=br&.last=http://br.mail.yahoo.com
The ".done" parameter is interpreted by web mail system AFTER the user login
has been processed. So, automatically the user is redirected for the page
inserted in .done argument.
If the user is already logged, he/she is automatically redirected to
a fake page putted in variable .done.
IV - ANALISYS
--------------
The proof of concept can be done accessing the follow link:
https://login.yahoo.com/config/login_verify2?.slogin=&.intl=br&.src=ym&.pd=&.bypass=&.partner=&.done=http%3a//login.yahoo.com/config/exit%3f.direct=2%26.done=http%3a//www.intruders.com.br/%26.src=ym%26.intl=br%26.last=http%3a//br.mail.yahoo.com
or
http://login.yahoo.com/config/exit?.direct=2&.done=http://www.intruders.com.br/&.src=ym&.intl=br&.last=http://br.mail.yahoo.com
The user will see the Yahoo authentication form. So, he can log in the system
and after this, he will be automatically redirected to the site in the .done variable,
in the case above, the site is http://www.intruders.com.br/.
Note that it can be exploited in attacks using social engineer where the attacker
could easily forge one fake site and capture vitim's personal informations.
V - DETECTION
-------------
Intruders Tiger Team Security has detected this condiction at least in three idioms
(Portuguese, English and German), but We believe that this problem occurs in all idioms
Yahoo´s web mail system.
VI - WORKAROUND
----------------
It´s possible to detect and block the sending of differents sites from yahoo.com domain
to parameter .done.
We suggest the using of regular expressions in Proxy(Squid) to mitigate this problem.
VI - SOLUCTION
-------------
There is not a soluction until now.
VI - CRONOLOGY
----------------
09/09/2008 - Vulnerability Discovered.
09/10/2008 - Attempt to contact yahoo - no success.
09/11/2008 - Attempt to contact yahoo - no success.
09/15/2008 - Attempt to contact yahoo - no success.
09/20/2008 - Advisore Published.
VII - CREDITS
--------------
Glaudson Ocampos(Nash Leon) and Intruders Tiger Team
Security has discovery this vulnerability.
Thanks for Ygor da Rocha Parrera, Waldemar Nehgme,
Ismael Rocha, Eduardo Camargo and Pamela Ocampos.
http://www.intruders.com.br/
http://www.intruders.org.br/
Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com.
http://br.new.mail.yahoo.com/addresses
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists