| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <531AF8A3.1050700@t-online.de>
Date: Sat, 08 Mar 2014 12:01:55 +0100
From: Stefan Schurtz <sschurtz@...nline.de>
To: Jann Horn <jann@...jh.net>, full-disclosure@...ts.grok.org.uk
Subject: Re: Yahoo Bug Bounty Program Vulnerability #3 XSS
on de-mg42.mail.yahoo.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Jann,
you're right...bad description here (too much copy & paste) :)
The XSS is cookie-based, so you can find it in the cookie with the
payload.
Please see "&intl=dec52a6"-alert(document.domain)-"c8d9133635e;"
Kind regards,
Stefan
Am 08.03.2014 11:40, schrieb Jann Horn:
> On Sat, Mar 08, 2014 at 11:24:03AM +0100, Stefan Schurtz wrote:
>> The 'intl'-Paramter on "https://de-mg42.mail.yahoo.com/" is
>> prone to a Cross-site Scripting vulnerability [...] GET
>> https://de-mg42.mail.yahoo.com/neo/launch?.rand=02j5el0e9m3mr
>>
>> Host: de-mg42.mail.yahoo.com [...]
>
> Uh, where is that intl parameter you speak of? the only parameter
> I see here is .rand, which, as far as I know, just serves to
> circumvent caching. And where is the XSS payload?
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlMa+J0ACgkQg3svV2LcbMCRLwCfR1L1XiqxEjnT4F8Z/MYJFbLS
KSoAnRQAMaK6woO866COwlK1kPsYaueu
=wg9L
-----END PGP SIGNATURE-----
Download attachment "0x62DC6CC0.asc" of type "application/pgp-keys" (1800 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists