BLUE MOON SECURITY ADVISORY 2009-05
===================================


:Title: Cross Site Request Forgery in Yahoo! 360plus
:Severity: Moderate
:Reporter: Thinh Q. Hoang and Blue Moon Consulting
:Products: Yahoo! 360plus
:Fixed in: --


Description
-----------

We could not find out the definitive description for Yahoo! 360plus from Yahoo! website. This is our own understanding of the application: Yahoo! 360plus is a blogging service.

We have discovered a Cross Site Request Forgery vulnerability in Yahoo! 360plus. The attacker could force an unknowning user to remove all her avatars by visiting a specially crafted page while her Yahoo! 360plus session is still valid.

This problem is similar to the one that allowed removal of user comments in Yahoo! 360 (the older version of Yahoo! 360plus). The link to avatar deletion is, in the case of Yahoo! 360plus Vietnam, ``http://vn.blog.yahoo.com/setup/profile_photo.php?act=del&prf_photo=1`` where ``prf_photo`` could be ``1``, ``2``, ``3``, or ``4``. Unlike other actions where a ``crumb`` token is required, this action does not require any token and hence suffers from a CSRF vulnerability.

Workaround
----------

Users of Yahoo! 360plus service should only login to make modifications and logout immediately when done.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  June 02, 2009: Initial security alert sent to security@yahoo-inc.com

:Vendor response:

  --

:Further communication:

  --

:Public disclosure: June 10, 2009

:Exploit code:

  No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

Cheers
-- 
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn