lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090610130841.b0a4df7d.namn@bluemoon.com.vn>
Date: Wed, 10 Jun 2009 13:08:41 +0700
From: Nam Nguyen <namn@...emoon.com.vn>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [BMSA 2009-05] Cross Site Request Forgery in
	Yahoo! 360plus

BLUE MOON SECURITY ADVISORY 2009-05
===================================


:Title: Cross Site Request Forgery in Yahoo! 360plus
:Severity: Moderate
:Reporter: Thinh Q. Hoang and Blue Moon Consulting
:Products: Yahoo! 360plus
:Fixed in: --


Description
-----------

We could not find out the definitive description for Yahoo! 360plus from Yahoo! website. This is our own understanding of the application: Yahoo! 360plus is a blogging service.

We have discovered a Cross Site Request Forgery vulnerability in Yahoo! 360plus. The attacker could force an unknowning user to remove all her avatars by visiting a specially crafted page while her Yahoo! 360plus session is still valid.

This problem is similar to the one that allowed removal of user comments in Yahoo! 360 (the older version of Yahoo! 360plus). The link to avatar deletion is, in the case of Yahoo! 360plus Vietnam, ``http://vn.blog.yahoo.com/setup/profile_photo.php?act=del&prf_photo=1`` where ``prf_photo`` could be ``1``, ``2``, ``3``, or ``4``. Unlike other actions where a ``crumb`` token is required, this action does not require any token and hence suffers from a CSRF vulnerability.

Workaround
----------

Users of Yahoo! 360plus service should only login to make modifications and logout immediately when done.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  June 02, 2009: Initial security alert sent to security@...oo-inc.com

:Vendor response:

  --

:Further communication:

  --

:Public disclosure: June 10, 2009

:Exploit code:

  No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

Cheers
-- 
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ