exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

yahooXSS.txt

yahooXSS.txt
Posted Dec 28, 2005
Authored by Sumit Siddharth

Multiple bugs were discovered in Yahoo which can allow XSS and URL redirection.

tags | advisory
SHA-256 | e1e3e813dcfef49b0c3ecc32996e1eab0304d56bc11d1c5bde50e3c747dc1c0c

yahooXSS.txt

Change Mirror Download
------=_Part_27375_3973470.1135177294520
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>> Securit=
y Advisory <<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D//



------------------------------

---------------------------------------
Multiple YAHOO BUGS
---------------------------------------------------------------------



--[ Author: Sumit Siddharth and Kishor Sonawane, NII Consulting (
www.nii.co.in)

--[ Discovery Date: 07/12/2005

--[ Vendor Contacted: 07/12/2005

--[ vendor response: No response

--[Bug released: 21/12/2005

--[ Website: www.yahoo.com

--[ Severity: Low




*YAHOO MAIL XSS BUG*

A XSS bug was identified in YAHOO mail. We are not able to verify whether i=
t
is remotely exploitable, thus we will call it a bug.

Yahoo mail has a *Yahoo Notepad* feature. The same has options for
maintaining folder(s). There exists an option to rename a folder. The promp=
t
which appears allows any arbitrary script execution. However, we are still
not able to verify if it is remotely exploitable.
Screen shot can be seen at the following links

1. http://www.nii.co.in/vuln/yahoo1.jpg
2. http://www.nii.co.in/vuln/yahoo2.jpg

---------------------------------------------------------------------
*
Yahoo mail URL injection/URL redirection:-*

http://login.yahoo.com/config/login?.intl=3Dus&.src=3Dym&.done=3Dhttp%3a//g=
oogle.com


The done parameter is not properly sanitized before returning the URL. Thus
after successful validation the victim will be redirected to any URL (googl=
e
here). This can then be followed by a phishing attack.

---------------------------------------------------------------------

*Yahoo Videos URL Injection/URL Redirection:-*


http://video.search.yahoo.com/video/view?&h=3D92&w=3D120&type=3Drealmedia&r=
url=3Dwww.cricketfundas.com%2Fmultimedia.htm&vurl=3Dwww.nii.co.in/index.htm=
l&back=3Dp%3Dsachin%2Btendulkar%26ei%3DUTF-8%26fl%3D0%26cv%3Dg%26fr%3D%26b%=
3D21&turl=3Dscd.mm-so.yimg.com%2Fimage%2F1791848075&name=3Dtiedtest.ram&no=
=3D22&tt=3D24&p=3Dsachin+tendulkar&dur=3D273


Note that the Play video can be made to point to any URL
(www.nii.co.inhere).This can be done to other parameters as well.

--------------------------------------------------------------------
*Yahoo Multiple URL Redirection:-*
eg. http://in.rd.yahoo.com//prop/?http://google.com<http://in.rd.yahoo.com/=
prop/?http://google.com>
-------------------------------------------------------------------
Thanks
Sumit and Kishor


--

Sumit Siddharth
Information Security Analyst
NII Consulting
Web: www.nii.co.in
------------------------------------
NII Security Advisories
http://www.nii.co.in/resources/advisories.html
------------------------------------

------=_Part_27375_3973470.1135177294520
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<br clear=3D"all">
<p>//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>&gt=
; Security Advisory
<<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D//<b=
r>
<br>
&nbsp;<br>
<br>
------------------------------ </p>



<p style=3D"margin-bottom: 12pt;">---------------------------------------<b=
r>
Multiple YAHOO BUGS<br>
---------------------------------------------------------------------<br>
<br>
&nbsp;<br>
<br>
--[ Author: Sumit Siddharth and Kishor Sonawane, NII Consulting (<a href=3D=
"http://www.nii.co.in/" target=3D"_blank" onclick=3D"return top.js.OpenExtL=
ink(window,event,this)">www.nii.co.in</a>)<br>
<br>
--[ Discovery Date: 07/12/2005<br>
<br>
--[ Vendor Contacted: 07/12/2005<br>
<br>
--[ vendor response: No response<br>
<br>
--[Bug released: 21/12/2005<br>
<br>
--[ Website: <a href=3D"http://www.yahoo.com/" target=3D"_blank" onclick=3D=
"return top.js.OpenExtLink(window,event,this)">www.yahoo.com</a><br>
<br>
--[ Severity: Low<br>
<br>
&nbsp;<br>
<br>
<br>&nbsp;
<b>YAHOO MAIL XSS BUG</b><br>
<br>
A XSS bug was identified in YAHOO mail. We are not able to verify whether
it is remotely exploitable, thus we will call it a bug.<br>
<br>
Yahoo mail&nbsp;has a <b>Yahoo Notepad</b> feature. The same has options fo=
r
maintaining folder(s). There exists an option to rename a folder. The promp=
t
which appears allows any arbitrary script execution. However, we are still =
not
able to verify if it is remotely exploitable.<br>
Screen shot can be seen at the following&nbsp;links<br>
<br>
1. <a href=3D"http://www.nii.co.in/vuln/yahoo1.jpg" target=3D"_blank" oncli=
ck=3D"return top.js.OpenExtLink(window,event,this)">http://www.nii.co.in/vu=
ln/yahoo1.jpg</a><br>
2. <a href=3D"http://www.nii.co.in/vuln/yahoo2.jpg" target=3D"_blank" oncli=
ck=3D"return top.js.OpenExtLink(window,event,this)">http://www.nii.co.in/vu=
ln/yahoo2.jpg</a><br>
<br>
---------------------------------------------------------------------<br>
<b><br>
Yahoo mail URL injection/URL redirection:-</b><br>
<br>
<a href=3D"http://login.yahoo.com/config/login?.intl=3Dus&.src=3Dym&amp=
;.done=3Dhttp%3a//google.com" target=3D"_blank" onclick=3D"return top.js.Op=
enExtLink(window,event,this)">http://login.yahoo.com/config/login?.intl=3Du=
s&.src=3Dym&.done=3Dhttp%3a//google.com
</a><br>
<br>
The done parameter is not properly sanitized before returning the URL. Thus
after successful validation the victim will be redirected to any&nbsp;URL
(google here). This can then be followed by a phishing attack.<br>
<br>
---------------------------------------------------------------------<br>
<br>
<b>Yahoo Videos URL Injection/URL Redirection:-</b><br>
<br>
<br>
<a href=3D"http://video.search.yahoo.com/video/view?&h=3D92&w=3D120=
&type=3Drealmedia&rurl=3Dwww.cricketfundas.com%2Fmultimedia.htm&amp=
;vurl=3Dwww.nii.co.in/index.html&back=3Dp%3Dsachin%2Btendulkar%26ei%3DU=
TF-8%26fl%3D0%26cv%3Dg%26fr%3D%26b%3D21&turl=3Dscd.mm-so.yimg.com%2Fima=
ge%2F1791848075&name=3Dtiedtest.ram&no=3D22&tt=3D24&p=3Dsac=
hin+tendulkar&dur=3D273" target=3D"_blank" onclick=3D"return top.js.Ope=
nExtLink(window,event,this)">



http://video.search.yahoo.com/video/view?&h=3D92&w=3D120&type=
=3Drealmedia&rurl=3Dwww.cricketfundas.com%2Fmultimedia.htm&vurl=3Dw=
ww.nii.co.in/index.html&back=3Dp%3Dsachin%2Btendulkar%26ei%3DUTF-8%26fl=
%3D0%26cv%3Dg%26fr%3D%26b%3D21&turl=3Dscd.mm-so.yimg.com%2Fimage%2F1791=
848075&name=3Dtiedtest.ram&no=3D22&tt=3D24&p=3Dsachin+tendu=
lkar&dur=3D273
</a><br>
<br>
Note that the Play video can be made to point to any URL (<a href=3D"http:/=
/www.nii.co.in/" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(win=
dow,event,this)">www.nii.co.in</a> here).This can be done to other
parameters as well.<br>
<br>
--------------------------------------------------------------------<br>
<b>Yahoo Multiple URL Redirection:-</b><br>
eg. <a href=3D"http://in.rd.yahoo.com/prop/?http://google.com" target=3D"_b=
lank" onclick=3D"return top.js.OpenExtLink(window,event,this)">http://in.rd=
.yahoo.com//prop/?http://google.com</a><br>
-------------------------------------------------------------------<br>
Thanks<br>
Sumit and Kishor<br>
<br clear=3D"all">
<br>
-- <br>
<br>
Sumit Siddharth<br>
Information Security Analyst<br>
NII Consulting<br>
Web: <a href=3D"http://www.nii.co.in/" target=3D"_blank" onclick=3D"return =
top.js.OpenExtLink(window,event,this)">www.nii.co.in </a><br>
------------------------------------<br>
NII Security Advisories <br>
<a href=3D"http://www.nii.co.in/resources/advisories.html" target=3D"_blank=
" onclick=3D"return top.js.OpenExtLink(window,event,this)">http://www.nii.c=
o.in/resources/advisories.html</a><br>
------------------------------------ <br>
<br>
</p>



------=_Part_27375_3973470.1135177294520--
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close