lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 13 Jan 2014 13:38:09 +0100
From: Stefan Schurtz <sschurtz@...nline.de>
To: "Kenneth F. Belva" <full-disclosure@...verbackventuresllc.com>, 
 full-disclosure@...ts.grok.org.uk
Cc: security@...oo-inc.com, Bugcrowd <support@...crowd.com>
Subject: Re: Yahoo Bug Bounty Program Vulnerability #2
 Open Redirect

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Kenneth,

thanks for your information.

I make it public because it seems a open redirect isn't a problem or
bug for Yahoo! Security. And as you can see in my advisory or on the
Yahoo Bug Bounty page, open redirects are removed from scope. And I'm
not sure, this will be fixed soon.

Kind regards,
Stefan

Am 12.01.2014 00:59, schrieb Kenneth F. Belva:
> Just as an FYI, I also reported this exact bug to Yahoo! in
> November on 11/21/2013 as part of the BugBash at OWASP AppSecUSA
> 2013 through BugCrowd, prior to your December 13th disclosure date
> to Yahoo.
> 
> As part of my discussions with Yahoo! Security on this issue I was
> told that it was reported to them before my 11/21/13 disclosure.
> 
> It is currently not fixed and, in the interest of responsible 
> disclosure, I did not wish to make it public until the appropriate
> time.
> 
> Ken
> 
> 
> On 01/11/2014 05:40 PM, Stefan Schurtz wrote:
>> Advisory:		Yahoo Bug Bounty Program Vulnerability #2 Open
>> Redirect Advisory ID:		SSCHADV2013-YahooBB-002 Author:			Stefan
>> Schurtz Affected Software:	Successfully tested on ads.yahoo.com 
>> Vendor URL:		http://yahoo.com Vendor Status:		informed
>> 
>> ========================== Vulnerability Description 
>> ==========================
>> 
>> The 'piggyback'-Parameter on "http://ads.yahoo.com" is prone to
>> an Open Redirect
>> 
>> ========================== PoC-Exploit 
>> ==========================
>> 
>> http://ads.yahoo.com/pixel?id=2454131&t=2&piggyback=http%3a//www.google.de&_msig=10r7s21mt&rmxbkn=26&_cbv=187571889
>>
>>
>> 
==========================
>> Solution ==========================
>> 
>> -
>> 
>> ========================== Disclosure Timeline 
>> ==========================
>> 
>> 13-Dec-2013 - vendor informed by contact form (Yahoo Bug Bounty
>> Program) 31-Dec-2013 - next message to the Yahoo Security
>> Contact 04-Jan-2014 - feedback from vendor 04-Jan-2014 - vendor
>> informed again about the three vulnerabilities 06-Jan-2014 -
>> Feedback from vendor - Open redirects are no longer in scope of
>> the Bug Bounty program
>> 
>> ========================== Credits ==========================
>> 
>> Vulnerability found and advisory written by Stefan Schurtz.
>> 
>> ========================== References ==========================
>> 
>> http://yahoo.com 
>> http://www.darksecurity.de/advisories/BugBounty2013/yahoo/SSCHADV2013-YahooBB-002.tx
>>
>>
>>
>>
>> 
_______________________________________________
>> Full-Disclosure - We believe in it. Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>> sponsored by Secunia - http://secunia.com/
>> 
> 
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlLT3ioACgkQg3svV2LcbMBqjwCeO2ZGmMMDVR11t4GA/rd/BDtJ
1FYAn0yDxwsj3DMfZAE+Mhhat3Nrh6+y
=DuQo
-----END PGP SIGNATURE-----

Download attachment "0x62DC6CC0.asc" of type "application/pgp-keys" (1800 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists