Re: Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC)

["Berend-Jan Wever" <SkyLined () edup tudelft nl>]

When I was into finding XSS, I found holes in just about every web-based
email provider with relative ease... The only one that I found was pretty
hardened was hotmail (Probably because everyone is trying to find holes all
the time).
I bet this is still just the tip of the iceberg for yahoo, keep up the good
work.

Oh, here's one I found long time ago (yahoo), they probably fixed it by now,
but I haven't checked:
<STYLE>*{width:expression( eval(alert("hello, world!"); )}</STYLE>

BTW. Long time no advisory, guys. I thought you had quit... What have you
been up to ?

Cheers,
SkyLined


----- Original Message ----- 
From: "GreyMagic Software" <security () greymagic com>
To: <full-disclosure () lists netsys com>
Sent: Thursday, June 03, 2004 15:52
Subject: [Full-disclosure] Simple Yahoo! Mail Cross-Site Scripting
(GM#006-MC)


> GreyMagic Security Advisory GM#006-MC
> =====================================
>
> GreyMagic Software, 03 Jun 2004.
>
> Available in HTML format at
> http://www.greymagic.com/security/advisories/gm006-mc/.
>
> Topic: Simple Yahoo! Mail Cross-Site Scripting.
>
> Discovery date: 16 May 2004.
>
> Affected applications:
> ======================
>
> * Yahoo! web-based email service.
>
>
> Introduction:
> =============
>
> Web-based email services and Yahoo! specifically make tremendous efforts
to
> sanitize incoming emails from potentially unsafe HTML content. Flawed
> filtering of such unsafe content may result in severe consequences that
> would occur as soon as a user opens an email for reading, including:
>
> * Theft of login and password.
> * Content disclosure of any email in the mailbox.
> * Automatically send emails from the mailbox.
> * Exploitation of known vulnerabilities in the browser to access the
user's
> file system and eventually take over the machine.
> * Distribution of a web-based email worm.
> * Disclosure of all contacts within the address book.
>
>
> Discussion:
> ===========
>
> GreyMagic discovered that by sending a maliciously formed email to a Yahoo
> user it is possible to circumvent the filter and execute script in the
> context of a logged-in Yahoo! user.
>
> A known Cross-Site Scripting weakness is using entities instead of actual
> chars, for example: "jav&#97script:alert()". There is also a variation of
> that weakness, caused by the way browsers ignore white-space chars in
URLs:
> "java&#13;script:alert()". Yahoo! properly filters both of these
scenarios.
> However, a third variation remains unfiltered. It is possible to embed a
> javascript URL by using a white-space entity with multiple zero chars in
> front of it: "java&#000013;script:alert()".
>
>
> Exploit:
> ========
>
> The following HTML embedded in an email would show a Yahoo! user's cookie
> when opened:
>
> <div
style="background-image:url(jav&#000013;ascript:alert(document.cookie))">Hel
> lo!</div>
>
>
> Solution:
> =========
>
> GreyMagic informed Yahoo! of the vulnerability on 20-May-2004. Yahoo!
> responded promptly and reported that it patched the vulnerability on
> 24-May-2004.
>
>
> Tested on:
> ==========
>
> Yahoo! web-based email service.
>
>
> Disclaimer:
> ===========
>
> The information in this advisory and any of its demonstrations is provided
> "as is" without warranty of any kind.
>
> GreyMagic Software is not liable for any direct or indirect damages caused
> as a result of using the information or demonstrations provided in any
part
> of this advisory.
>
> - Copyright © 2004 GreyMagic Software.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html