------=_Part_27375_3973470.1135177294520 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline //=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>> Securit= y Advisory <<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D// ------------------------------ --------------------------------------- Multiple YAHOO BUGS --------------------------------------------------------------------- --[ Author: Sumit Siddharth and Kishor Sonawane, NII Consulting ( www.nii.co.in) --[ Discovery Date: 07/12/2005 --[ Vendor Contacted: 07/12/2005 --[ vendor response: No response --[Bug released: 21/12/2005 --[ Website: www.yahoo.com --[ Severity: Low *YAHOO MAIL XSS BUG* A XSS bug was identified in YAHOO mail. We are not able to verify whether i= t is remotely exploitable, thus we will call it a bug. Yahoo mail has a *Yahoo Notepad* feature. The same has options for maintaining folder(s). There exists an option to rename a folder. The promp= t which appears allows any arbitrary script execution. However, we are still not able to verify if it is remotely exploitable. Screen shot can be seen at the following links 1. http://www.nii.co.in/vuln/yahoo1.jpg 2. http://www.nii.co.in/vuln/yahoo2.jpg --------------------------------------------------------------------- * Yahoo mail URL injection/URL redirection:-* http://login.yahoo.com/config/login?.intl=3Dus&.src=3Dym&.done=3Dhttp%3a//g= oogle.com The done parameter is not properly sanitized before returning the URL. Thus after successful validation the victim will be redirected to any URL (googl= e here). This can then be followed by a phishing attack. --------------------------------------------------------------------- *Yahoo Videos URL Injection/URL Redirection:-* http://video.search.yahoo.com/video/view?&h=3D92&w=3D120&type=3Drealmedia&r= url=3Dwww.cricketfundas.com%2Fmultimedia.htm&vurl=3Dwww.nii.co.in/index.htm= l&back=3Dp%3Dsachin%2Btendulkar%26ei%3DUTF-8%26fl%3D0%26cv%3Dg%26fr%3D%26b%= 3D21&turl=3Dscd.mm-so.yimg.com%2Fimage%2F1791848075&name=3Dtiedtest.ram&no= =3D22&tt=3D24&p=3Dsachin+tendulkar&dur=3D273 Note that the Play video can be made to point to any URL (www.nii.co.inhere).This can be done to other parameters as well. -------------------------------------------------------------------- *Yahoo Multiple URL Redirection:-* eg. http://in.rd.yahoo.com//prop/?http://google.com ------------------------------------------------------------------- Thanks Sumit and Kishor -- Sumit Siddharth Information Security Analyst NII Consulting Web: www.nii.co.in ------------------------------------ NII Security Advisories http://www.nii.co.in/resources/advisories.html ------------------------------------ ------=_Part_27375_3973470.1135177294520 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline

//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>>= ; Security Advisory <<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D//
 

------------------------------

--------------------------------------- Multiple YAHOO BUGS
---------------------------------------------------------------------

 

--[ Author: Sumit Siddharth and Kishor Sonawane, NII Consulting (www.nii.co.in)

--[ Discovery Date: 07/12/2005

--[ Vendor Contacted: 07/12/2005

--[ vendor response: No response

--[Bug released: 21/12/2005

--[ Website: www.yahoo.com

--[ Severity: Low

 


  YAHOO MAIL XSS BUG

A XSS bug was identified in YAHOO mail. We are not able to verify whether it is remotely exploitable, thus we will call it a bug.

Yahoo mail has a Yahoo Notepad feature. The same has options fo= r maintaining folder(s). There exists an option to rename a folder. The promp= t which appears allows any arbitrary script execution. However, we are still = not able to verify if it is remotely exploitable.
Screen shot can be seen at the following links

1. http://www.nii.co.in/vu= ln/yahoo1.jpg
2. http://www.nii.co.in/vu= ln/yahoo2.jpg

---------------------------------------------------------------------

Yahoo mail URL injection/URL redirection:-


http://login.yahoo.com/config/login?.intl=3Du= s&.src=3Dym&.done=3Dhttp%3a//google.com

The done parameter is not properly sanitized before returning the URL. Thus after successful validation the victim will be redirected to any URL (google here). This can then be followed by a phishing attack.

---------------------------------------------------------------------

Yahoo Videos URL Injection/URL Redirection:-


http://video.search.yahoo.com/video/view?&h=3D92&w=3D120&type= =3Drealmedia&rurl=3Dwww.cricketfundas.com%2Fmultimedia.htm&vurl=3Dw= ww.nii.co.in/index.html&back=3Dp%3Dsachin%2Btendulkar%26ei%3DUTF-8%26fl= %3D0%26cv%3Dg%26fr%3D%26b%3D21&turl=3Dscd.mm-so.yimg.com%2Fimage%2F1791= 848075&name=3Dtiedtest.ram&no=3D22&tt=3D24&p=3Dsachin+tendu= lkar&dur=3D273

Note that the Play video can be made to point to any URL (www.nii.co.in here).This can be done to other parameters as well.

--------------------------------------------------------------------
Yahoo Multiple URL Redirection:-
eg. http://in.rd= .yahoo.com//prop/?http://google.com
-------------------------------------------------------------------
Thanks
Sumit and Kishor


--

Sumit Siddharth
Information Security Analyst
NII Consulting
Web: www.nii.co.in
------------------------------------
NII Security Advisories
http://www.nii.c= o.in/resources/advisories.html
------------------------------------

------=_Part_27375_3973470.1135177294520--