Full Disclosure mailing list archives
Re: Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC)
From: "Berend-Jan Wever" <SkyLined () edup tudelft nl>
Date: Thu, 3 Jun 2004 16:12:49 +0200
When I was into finding XSS, I found holes in just about every web-based email provider with relative ease... The only one that I found was pretty hardened was hotmail (Probably because everyone is trying to find holes all the time). I bet this is still just the tip of the iceberg for yahoo, keep up the good work. Oh, here's one I found long time ago (yahoo), they probably fixed it by now, but I haven't checked: <STYLE>*{width:expression( eval(alert("hello, world!"); )}</STYLE> BTW. Long time no advisory, guys. I thought you had quit... What have you been up to ? Cheers, SkyLined ----- Original Message ----- From: "GreyMagic Software" <security () greymagic com> To: <full-disclosure () lists netsys com> Sent: Thursday, June 03, 2004 15:52 Subject: [Full-disclosure] Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC)
GreyMagic Security Advisory GM#006-MC ===================================== GreyMagic Software, 03 Jun 2004. Available in HTML format at http://www.greymagic.com/security/advisories/gm006-mc/. Topic: Simple Yahoo! Mail Cross-Site Scripting. Discovery date: 16 May 2004. Affected applications: ====================== * Yahoo! web-based email service. Introduction: ============= Web-based email services and Yahoo! specifically make tremendous efforts
to
sanitize incoming emails from potentially unsafe HTML content. Flawed filtering of such unsafe content may result in severe consequences that would occur as soon as a user opens an email for reading, including: * Theft of login and password. * Content disclosure of any email in the mailbox. * Automatically send emails from the mailbox. * Exploitation of known vulnerabilities in the browser to access the
user's
file system and eventually take over the machine. * Distribution of a web-based email worm. * Disclosure of all contacts within the address book. Discussion: =========== GreyMagic discovered that by sending a maliciously formed email to a Yahoo user it is possible to circumvent the filter and execute script in the context of a logged-in Yahoo! user. A known Cross-Site Scripting weakness is using entities instead of actual chars, for example: "javascript:alert()". There is also a variation of that weakness, caused by the way browsers ignore white-space chars in
URLs:
"java script:alert()". Yahoo! properly filters both of these
scenarios.
However, a third variation remains unfiltered. It is possible to embed a javascript URL by using a white-space entity with multiple zero chars in front of it: "java
script:alert()". Exploit: ======== The following HTML embedded in an email would show a Yahoo! user's cookie when opened: <div
style="background-image:url(jav
ascript:alert(document.cookie))">Hel
lo!</div> Solution: ========= GreyMagic informed Yahoo! of the vulnerability on 20-May-2004. Yahoo! responded promptly and reported that it patched the vulnerability on 24-May-2004. Tested on: ========== Yahoo! web-based email service. Disclaimer: =========== The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind. GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any
part
of this advisory. - Copyright © 2004 GreyMagic Software. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC) GreyMagic Software (Jun 03)
- Re: Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC) Berend-Jan Wever (Jun 03)